docker service update: "image could not be accessed on a registry to record it's digest"

I have an image on Amazon's Elastic Container Registry (ECR) that I want to deploy as a Docker service in my Docker single-node swarm. Currently the service is running an older version of the image's latest tag, but I've since uploaded a newer version of the latest tag to ECR.

Running docker service update --force my_service on my swarm node, which uses image XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/my_service:latest, results in:

image XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/my_service:latest could not be accessed on a registry to record its digest. Each node will access XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/my_service:latest independently, possibly leading to different nodes running different versions of the image.

This appears to prevent the node from pulling a new copy of the latest tag from the registry, and the service from properly updating.

I'm properly logged in with docker login to ECR, and running docker pull XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/my_service:latest works fine (and returns a digest).

Why is docker service update unable to read the digest from the ECR registry despite the image being available?