Unable to access ECR repository from separate account via `docker pull`

I figured it out -- the IAM user in the "second" account had a policy attached that limited its ECR access. The policy was:

    {
        "Sid": "ECRAccess",
        "Effect": "Allow",
        "Action": "ecr:*",
        "Resource": "arn:aws:ecr:us-east-1:<second>:repository/<unrelated-repo>"
    }

So even though the ECR repository in the "first" account had permissions allowing the user access, the user's own account restricted its access to a single unrelated repository.

When I added another section with the first account's repository ARN:

    {
        "Sid": "FirstAccountECRAccess",
        "Effect": "Allow",
        "Action": "ecr:*",
        "Resource": "arn:aws:ecr:us-east-1:<first>:repository/<repo>"
    }

Then docker pull worked!