diff --git a/pkg/credentialprovider/aws/aws_credentials.go b/pkg/credentialprovider/aws/aws_credentials.go
index 7e8955e9c0..3a3284a255 100644
--- a/pkg/credentialprovider/aws/aws_credentials.go
+++ b/pkg/credentialprovider/aws/aws_credentials.go
@@ -30,7 +30,9 @@ import (
 	"k8s.io/kubernetes/pkg/credentialprovider"
 )
 
+const chinaRegionPrefix = "cn-"
 const registryURLTemplate = "*.dkr.ecr.%s.amazonaws.com"
+const chinaRegistryURLTemplate = "*.dkr.ecr.%s.amazonaws.com.cn"
 
 // awsHandlerLogger is a handler that logs all AWS SDK requests
 // Copied from pkg/cloudprovider/providers/aws/log_handler.go
@@ -80,6 +82,14 @@ type ecrProvider struct {
 
 var _ credentialprovider.DockerConfigProvider = &ecrProvider{}
 
+// registryURL has different suffix in AWS China region
+func registryURL(region string) string {
+	if strings.HasPrefix(region, chinaRegionPrefix) {
+		return fmt.Sprintf(registryURLTemplate, region)
+	}
+	return fmt.Sprintf(chinaRegistryURLTemplate, region)
+}
+
 // RegisterCredentialsProvider registers a credential provider for the specified region.
 // It creates a lazy provider for each AWS region, in order to support
 // cross-region ECR access. They have to be lazy because it's unlikely, but not
@@ -92,7 +102,7 @@ func RegisterCredentialsProvider(region string) {
 	credentialprovider.RegisterCredentialProvider("aws-ecr-"+region,
 		&lazyEcrProvider{
 			region:    region,
-			regionURL: fmt.Sprintf(registryURLTemplate, region),
+			regionURL: registryURL(region),
 		})
 }
 
@@ -136,7 +146,7 @@ func (p *lazyEcrProvider) Provide() credentialprovider.DockerConfig {
 func newEcrProvider(region string, getter tokenGetter) *ecrProvider {
 	return &ecrProvider{
 		region:    region,
-		regionURL: fmt.Sprintf(registryURLTemplate, region),
+		regionURL: registryURL(region),
 		getter:    getter,
 	}
 }