diff --git a/Makefile b/Makefile
index 1dcf062a..7b8c1fd6 100644
--- a/Makefile
+++ b/Makefile
@@ -48,6 +48,7 @@ TARGETS = \
 		chelsio-drivers \
 		chelsio-firmware \
 		drbd \
+		ecr-credential-provider \
 		fuse3 \
 		gasket-driver \
 		gvisor \
diff --git a/container-runtime/ecr-credential-provider/README.md b/container-runtime/ecr-credential-provider/README.md
new file mode 100644
index 00000000..31791341
--- /dev/null
+++ b/container-runtime/ecr-credential-provider/README.md
@@ -0,0 +1,61 @@
+# Kubelet ECR Credential Provider extension
+
+This extension provides the [ecr-credential-provider](https://github.com/kubernetes/cloud-provider-aws/tree/master/cmd/ecr-credential-provider) binary,
+which can be executed by Kubelet to provide a short-lived token for pulling container images
+from Amazon Web Services' Elastic Container Registry (ECR).
+
+## Installation
+
+See [Installing Extensions](https://github.com/siderolabs/extensions#installing-extensions).
+
+You also need to configure `ecr-credential-provider` as a Kubelet image
+credential provider. For this you'll need to add two Kubelet arguments:
+
+```yaml
+- op: add
+  path: /machine/kubelet/extraArgs
+  value:
+    image-credential-provider-bin-dir: "/usr/local/lib/kubelet/credentialproviders"
+    image-credential-provider-config: "/var/lib/kubelet/credentialproviderconfig.yaml"
+```
+
+You'll also need to mount the binary to the kubelet container:
+
+```yaml
+- op: add
+  path: /machine/kubelet/extraMounts
+  value:
+    - destination: /usr/local/lib/kubelet
+      type: bind
+      source: /usr/local/lib/kubelet
+      options: [bind, ro]
+```
+
+and then create the `CredentialProviderConfig`:
+
+```yaml
+- op: add
+  path: /machine/files
+  value:
+    - op: create
+      path: /var/lib/kubelet/credentialproviderconfig.yaml
+      content: |
+        apiVersion: kubelet.config.k8s.io/v1
+        kind: CredentialProviderConfig
+        providers:
+          - name: ecr-credential-provider
+            matchImages:
+              - "*.dkr.ecr.*.amazonaws.com"
+              - "*.dkr.ecr.*.amazonaws.com.cn"
+              - "*.dkr.ecr-fips.*.amazonaws.com"
+              - "*.dkr.ecr.us-iso-east-1.c2s.ic.gov"
+              - "*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov"
+            defaultCacheDuration: "12h"
+            apiVersion: credentialprovider.kubelet.k8s.io/v1
+```
+
+## More Information
+
+- <https://cloud-provider-aws.sigs.k8s.io/credential_provider/>
+- <https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/>
+- <https://kubernetes.io/docs/reference/config-api/kubelet-credentialprovider.v1/>
diff --git a/container-runtime/ecr-credential-provider/manifest.yaml b/container-runtime/ecr-credential-provider/manifest.yaml
new file mode 100644
index 00000000..421feb51
--- /dev/null
+++ b/container-runtime/ecr-credential-provider/manifest.yaml
@@ -0,0 +1,11 @@
+version: v1alpha1
+metadata:
+  name: ecr-credential-provider
+  version: "$VERSION"
+  author: Florian Ströger
+  description: |
+    This system extension provides a binary which implements Kubelet's CredentialProvider API
+    to authenticate against AWS' Elastic Container Registry and pull images.
+  compatibility:
+    talos:
+      version: ">= v1.0.0"
diff --git a/container-runtime/ecr-credential-provider/pkg.yaml b/container-runtime/ecr-credential-provider/pkg.yaml
new file mode 100644
index 00000000..a362394b
--- /dev/null
+++ b/container-runtime/ecr-credential-provider/pkg.yaml
@@ -0,0 +1,40 @@
+name: ecr-credential-provider
+variant: scratch
+shell: /toolchain/bin/bash
+dependencies:
+  - stage: base
+steps:
+  - sources:
+      - url: https://github.com/kubernetes/cloud-provider-aws/archive/refs/tags/{{ .VERSION }}.tar.gz
+        destination: cloud-provider-aws.tar.gz
+        sha256: 9d3e20d79facf336a466a1647dff8033007385fb628005c8bf84eb67330ba004
+        sha512: b9adc389be9301dc4be36c6bf546f354b9f2895cbad13d28d074dbab77f9aecec8d5fd02590d21c2a4acc91b559371adfe9702898c7880d92aea6657b315a539
+    env:
+      GOPATH: /go
+    prepare:
+      - |
+        sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml
+      - |
+        mkdir -p ${GOPATH}/src/k8s.io/cloud-provider-aws
+
+        tar -xzf cloud-provider-aws.tar.gz --strip-components=1 -C ${GOPATH}/src/k8s.io/cloud-provider-aws
+    build:
+      - |
+        export PATH=${PATH}:${TOOLCHAIN}/go/bin
+
+        go build \
+          -C ${GOPATH}/src/k8s.io/cloud-provider-aws \
+          -o ./dist/ecr-credential-provider \
+          -ldflags "-s -w \
+                   -X k8s.io/component-base/version.gitVersion={{ .VERSION }} \
+                   -X main.gitVersion={{ .VERSION }}" \
+          ./cmd/ecr-credential-provider
+    install:
+      - install -D -m 0755
+        ${GOPATH}/src/k8s.io/cloud-provider-aws/dist/ecr-credential-provider
+        /rootfs/usr/local/lib/kubelet/credentialproviders/ecr-credential-provider
+finalize:
+  - from: /rootfs
+    to: /rootfs
+  - from: /pkg/manifest.yaml
+    to: /
diff --git a/container-runtime/ecr-credential-provider/vars.yaml b/container-runtime/ecr-credential-provider/vars.yaml
new file mode 100644
index 00000000..d99b1fce
--- /dev/null
+++ b/container-runtime/ecr-credential-provider/vars.yaml
@@ -0,0 +1 @@
+VERSION: "{{ .CLOUD_PROVIDER_AWS_VERSION }}"
diff --git a/container-runtime/vars.yaml b/container-runtime/vars.yaml
index 0e90ef78..238a45f1 100644
--- a/container-runtime/vars.yaml
+++ b/container-runtime/vars.yaml
@@ -2,3 +2,5 @@
 GVISOR_VERSION: 20231214.0
 # renovate: datasource=github-releases  depName=containerd/stargz-snapshotter
 STARGZ_SNAPSHOTTER_VERSION: v0.14.3
+# renovate: datasource=github-releases depName=kubernetes/cloud-provider-aws
+CLOUD_PROVIDER_AWS_VERSION: v1.28.1