Receiving consistent AccessDenied errors

I am trying to use SageMaker Notebook Instances, but consistently receive AccessDenied errors for commands that my IAM role should have access to (and for commands that worked the last time I tried several weeks ago). For example:

aws s3 ls results in An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied despite my role having the AmazonS3FullAccess policy attached.

Also aws ecr describe-repositories --repository-names "sagemaker-decision-trees" results in An error occurred (AccessDeniedException) when calling the DescribeRepositories operation: User: arn:aws:sts::XXXXXXXXXX:assumed-role/AmazonSageMaker-ExecutionRole-20201123T151452/SageMaker is not authorized to perform: ecr:DescribeRepositories on resource: arn:aws:ecr:us-east-2:XXXXXXXXXX:repository/sagemaker-decision-trees with an explicit deny despite my role having the AmazonEC2ContainerRegistryFullAccess policy attached.

One thing that seems new is that "SageMaker" is appended to my user ARN. I can't remember seeing errors with this appended before.

Note: I've replicated these errors with several combinations of configurations:

• a new IAM role (which I created in the SageMaker console to have AmazonSageMakerFullAccess to any S3 bucket)
• fresh notebook instance
• with (and without) a VPC
  Also, these commands all work when run outside of a notebook instance (i.e. when run locally from my laptop).

I'm guessing there's some problem with my account setup, but not sure what to try next.
Thanks.

Edited by: DJAIndeed on Nov 24, 2020 8:35 AM