Forbidden! ECR Serverless Script

I am able to create an ECR Repository using the CLI.

However this serverless script fails

# ecr/serverless.yml
service: service-ecr

useDotenv: true

  name: aws
  region: ${env:REGION}

      Type: AWS::ECR::Repository
        RepositoryName: ${env:REPOSITORY_NAME}

I get this in the log

ecr-service › Credentials: Local, "default" profile
ecr-service › Docs:
ecr-service › Support:
ecr-service › Bugs:
ecr-service › Error:
ecr-service › Forbidden
ecr-service › error
ecr-service › Error:
ecr-service › Forbidden
ecr-service › 

Any ideas?
How can I get better error messages?

Now getting “Access Denied”.

Still no useful error output. Nothing in Cloudwatch.

Seems like a pretty basic problem for there to be no answers for.
What is the minimum list of permissions for a basic serverless stack (say to create just an S3 bucket)?
How do you get better error messages so you can troubleshoot?