'BatchGetImage permission' error when deploying SageMaker endpoint by using Tensorflow base image

[lu-liu-rft]

I have a pre-trained Tensorflow model, I'm trying to using SagaMaker client.create_endpoint() to create an endpoint so that I can call the API to get predictions, the doc is here

After creating the model by using client.create_model() I have a model stored on SageMaker, and the base image I'm using is xxxxx.dkr.ecr.us-east-1.amazonaws.com/tensorflow-inference:1.15.2-gpu

After running this, I'm able to create the endpoint configuration, but it failed to create the endpoint, reason:

Failure reason
The role 'arn:aws:iam::xxxxxxxx:role/test-role' does not have BatchGetImage permission for the image: 'xxxx.dkr.ecr.us-east-1.amazonaws.com/tensorflow-inference:1.15.2-gpu'.

In the policy of this role, I have:

{
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": [
                "ecr:BatchGetImage"
            ],
            "Resource": [
                "arn:aws:ecr:us-east-1:xxxx:repository/*sagemaker*"
            ]
        },

        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "ecr:BatchDeleteImage",
                "ecr:UploadLayerPart",
                "ecr:DeleteRepository",
                "ecr:PutImage",
                "ecr:SetRepositoryPolicy",
                "ecr:BatchGetImage",
                "ecr:CompleteLayerUpload",
                "ecr:DeleteRepositoryPolicy",
                "ecr:InitiateLayerUpload"
            ],
            "Resource": [
                "arn:aws:ecr:*:*:repository/*sagemaker*"
 ]
        }
....

Am I missing anything in the policy?There's no related docs to explain how to setup the role and policies. Might someone be able to help please? Many thanks.