My issue was that I had misunderstood what access keys I was supposed to use. Initially, I thought that I had to use the access keys from the AWS Access Portal (see screenshot in EDIT1), but those keys are temporary and are supposed to be used for logging in to AWS from the terminal.
Instead, I am supposed to create an IAM user within my own account using the IAM dashboard (not the IAM Identity Center), and grant it the relevant permissions for pushing to the ECR and creating and deploying task definitions. In case this helps anyone, here are the permission policies I created:
// AllowPushToAllRepo
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:CompleteLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:UploadLayerPart",
"ecr:InitiateLayerUpload",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage"
],
"Resource": "*"
}
]
}
// CreateTaskDefinition
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:PassRole",
"ecs:RegisterTaskDefinition",
"ecs:DescribeServices",
"ecs:DescribeTaskDefinition",
"ecs:UpdateService"
],
"Resource": "*"
}
]
}
(I am aware that setting the resource to "*" is a bad practice. I will change this once I figure out how to correctly set the ARN so that it points to the multiple different resources I want.)
This IAM user will be able to see the resources created by me in my account. I used this user's access keys to authorize the workflow.
As pointed out to me in another answer by Arnold Daniels, Amazon does not recommend this practice. Instead, I should be using the OIDC method. From what I understand, the OIDC method only allows a certain GitHub repository to perform actions on AWS, and this is why it is more safe. I will be looking into switching to that method in the future.