diff --git a/.projenrc.ts b/.projenrc.ts
index 6f66953..a81c136 100644
--- a/.projenrc.ts
+++ b/.projenrc.ts
@@ -172,6 +172,7 @@ const cliInteg = configureProject(
       '@aws-sdk/client-codeartifact@^3',
       '@aws-sdk/client-cloudformation@^3',
       '@aws-sdk/client-ecr@^3',
+      '@aws-sdk/client-ecr-public@^3',
       '@aws-sdk/client-ecs@^3',
       '@aws-sdk/client-iam@^3',
       '@aws-sdk/client-lambda@^3',
diff --git a/packages/@aws-cdk-testing/cli-integ/.projen/deps.json b/packages/@aws-cdk-testing/cli-integ/.projen/deps.json
index 8fe605a..a057086 100644
--- a/packages/@aws-cdk-testing/cli-integ/.projen/deps.json
+++ b/packages/@aws-cdk-testing/cli-integ/.projen/deps.json
@@ -119,6 +119,11 @@
       "version": "^3",
       "type": "runtime"
     },
+    {
+      "name": "@aws-sdk/client-ecr-public",
+      "version": "^3",
+      "type": "runtime"
+    },
     {
       "name": "@aws-sdk/client-ecr",
       "version": "^3",
diff --git a/packages/@aws-cdk-testing/cli-integ/lib/aws.ts b/packages/@aws-cdk-testing/cli-integ/lib/aws.ts
index 79b23e6..788e675 100644
--- a/packages/@aws-cdk-testing/cli-integ/lib/aws.ts
+++ b/packages/@aws-cdk-testing/cli-integ/lib/aws.ts
@@ -6,6 +6,7 @@ import {
   type Stack,
 } from '@aws-sdk/client-cloudformation';
 import { DeleteRepositoryCommand, ECRClient } from '@aws-sdk/client-ecr';
+import { ECRPUBLICClient } from '@aws-sdk/client-ecr-public';
 import { ECSClient } from '@aws-sdk/client-ecs';
 import { IAMClient } from '@aws-sdk/client-iam';
 import { LambdaClient } from '@aws-sdk/client-lambda';
@@ -42,6 +43,7 @@ export class AwsClients {
   public readonly cloudFormation: CloudFormationClient;
   public readonly s3: S3Client;
   public readonly ecr: ECRClient;
+  public readonly ecrPublic: ECRPUBLICClient;
   public readonly ecs: ECSClient;
   public readonly sso: SSOClient;
   public readonly sns: SNSClient;
@@ -61,6 +63,7 @@ export class AwsClients {
     this.cloudFormation = new CloudFormationClient(this.config);
     this.s3 = new S3Client(this.config);
     this.ecr = new ECRClient(this.config);
+    this.ecrPublic = new ECRPUBLICClient({ ...this.config, region: 'us-east-1' /* public gallery is only available in us-east-1 */ });
     this.ecs = new ECSClient(this.config);
     this.sso = new SSOClient(this.config);
     this.sns = new SNSClient(this.config);
diff --git a/packages/@aws-cdk-testing/cli-integ/lib/with-cdk-app.ts b/packages/@aws-cdk-testing/cli-integ/lib/with-cdk-app.ts
index 3b873e0..d71ff2c 100644
--- a/packages/@aws-cdk-testing/cli-integ/lib/with-cdk-app.ts
+++ b/packages/@aws-cdk-testing/cli-integ/lib/with-cdk-app.ts
@@ -4,6 +4,7 @@ import * as fs from 'fs';
 import * as os from 'os';
 import * as path from 'path';
 import { DescribeStacksCommand, Stack } from '@aws-sdk/client-cloudformation';
+import { GetAuthorizationTokenCommand } from '@aws-sdk/client-ecr-public';
 import { outputFromStack, AwsClients, sleep } from './aws';
 import { TestContext } from './integ-test';
 import { findYarnPackages } from './package-sources/repo-source';
@@ -345,6 +346,36 @@ export class TestFixture extends ShellHelper {
     this.output.write(`${s}\n`);
   }
 
+  /**
+   * Login to the public ECR gallery using the current AWS credentials.
+   * Use this if your test needs to directly pull images outside of a `cdk` or `cdk-assets` command.
+   */
+  public async ecrPublicLogin() {
+
+    const tokenResponse = await this.aws.ecrPublic.send(new GetAuthorizationTokenCommand({}));
+    const authData = tokenResponse.authorizationData?.authorizationToken;
+
+    const docker = process.env.CDK_DOCKER ?? 'docker';
+
+    if (!authData) {
+      throw new Error("Could not retrieve ECR public auth token.");
+    }
+
+    const decoded = Buffer.from(authData, "base64").toString("utf-8");
+    const [username, password] = decoded.split(":");
+
+    await this.shell([docker, 'login',
+      '--username', username,
+      '--password', "${ECR_PASSWORD}",
+      'public.ecr.aws'], {
+      shell: true,
+      modEnv: {
+        ECR_PASSWORD: password,
+      },
+    });
+
+  }
+
   public async cdkDeploy(stackNames: string | string[], options: CdkCliOptions = {}, skipStackRename?: boolean) {
     return this.cdk(this.cdkDeployCommandLine(stackNames, options, skipStackRename), options);
   }
diff --git a/packages/@aws-cdk-testing/cli-integ/package.json b/packages/@aws-cdk-testing/cli-integ/package.json
index 9b3dea6..d7a9572 100644
--- a/packages/@aws-cdk-testing/cli-integ/package.json
+++ b/packages/@aws-cdk-testing/cli-integ/package.json
@@ -66,6 +66,7 @@
     "@aws-sdk/client-cloudformation": "^3",
     "@aws-sdk/client-codeartifact": "^3",
     "@aws-sdk/client-ecr": "^3",
+    "@aws-sdk/client-ecr-public": "^3",
     "@aws-sdk/client-ecs": "^3",
     "@aws-sdk/client-iam": "^3",
     "@aws-sdk/client-lambda": "^3",
diff --git a/packages/@aws-cdk-testing/cli-integ/tests/cli-integ-tests/proxy.integtest.ts b/packages/@aws-cdk-testing/cli-integ/tests/cli-integ-tests/proxy.integtest.ts
index e574492..f2a88c6 100644
--- a/packages/@aws-cdk-testing/cli-integ/tests/cli-integ-tests/proxy.integtest.ts
+++ b/packages/@aws-cdk-testing/cli-integ/tests/cli-integ-tests/proxy.integtest.ts
@@ -55,6 +55,8 @@ async function runInIsolatedContainer(fixture: TestFixture, pathsToMount: string
 
     await fs.chmod(scriptName, 0o755);
 
+    await fixture.ecrPublicLogin();
+
     // Run commands in a Docker shell
     await fixture.shell([
       docker, 'run', '--net=bridge', '--rm',
diff --git a/yarn.lock b/yarn.lock
index 65fb242..128f7d6 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -228,6 +228,51 @@
     "@smithy/util-utf8" "^4.0.0"
     tslib "^2.6.2"
 
+"@aws-sdk/client-ecr-public@^3":
+  version "3.782.0"
+  resolved "https://registry.yarnpkg.com/@aws-sdk/client-ecr-public/-/client-ecr-public-3.782.0.tgz#144bfec4835b3c0946eb54aaf1c8bfa8d7006878"
+  integrity sha512-sTQlY9cekIL7KCzjoKgQpJLzZ0o44XNeOaMG2M3y+PPm7GTnXIpXlrRsXQ8rFqasYEVhLlY5a5vdZNo73HH4Vg==
+  dependencies:
+    "@aws-crypto/sha256-browser" "5.2.0"
+    "@aws-crypto/sha256-js" "5.2.0"
+    "@aws-sdk/core" "3.775.0"
+    "@aws-sdk/credential-provider-node" "3.782.0"
+    "@aws-sdk/middleware-host-header" "3.775.0"
+    "@aws-sdk/middleware-logger" "3.775.0"
+    "@aws-sdk/middleware-recursion-detection" "3.775.0"
+    "@aws-sdk/middleware-user-agent" "3.782.0"
+    "@aws-sdk/region-config-resolver" "3.775.0"
+    "@aws-sdk/types" "3.775.0"
+    "@aws-sdk/util-endpoints" "3.782.0"
+    "@aws-sdk/util-user-agent-browser" "3.775.0"
+    "@aws-sdk/util-user-agent-node" "3.782.0"
+    "@smithy/config-resolver" "^4.1.0"
+    "@smithy/core" "^3.2.0"
+    "@smithy/fetch-http-handler" "^5.0.2"
+    "@smithy/hash-node" "^4.0.2"
+    "@smithy/invalid-dependency" "^4.0.2"
+    "@smithy/middleware-content-length" "^4.0.2"
+    "@smithy/middleware-endpoint" "^4.1.0"
+    "@smithy/middleware-retry" "^4.1.0"
+    "@smithy/middleware-serde" "^4.0.3"
+    "@smithy/middleware-stack" "^4.0.2"
+    "@smithy/node-config-provider" "^4.0.2"
+    "@smithy/node-http-handler" "^4.0.4"
+    "@smithy/protocol-http" "^5.1.0"
+    "@smithy/smithy-client" "^4.2.0"
+    "@smithy/types" "^4.2.0"
+    "@smithy/url-parser" "^4.0.2"
+    "@smithy/util-base64" "^4.0.0"
+    "@smithy/util-body-length-browser" "^4.0.0"
+    "@smithy/util-body-length-node" "^4.0.0"
+    "@smithy/util-defaults-mode-browser" "^4.0.8"
+    "@smithy/util-defaults-mode-node" "^4.0.8"
+    "@smithy/util-endpoints" "^3.0.2"
+    "@smithy/util-middleware" "^4.0.2"
+    "@smithy/util-retry" "^4.0.2"
+    "@smithy/util-utf8" "^4.0.0"
+    tslib "^2.6.2"
+
 "@aws-sdk/client-ecr@^3":
   version "3.782.0"
   resolved "https://registry.yarnpkg.com/@aws-sdk/client-ecr/-/client-ecr-3.782.0.tgz#65ed9cac32798805a48ac7c124f0ea0223382053"