ResourceInitializationError
aws
runtime_error
ai_generated
true
STOPPED (Essential container in task exited) - ResourceInitializationError: unable to pull secrets or registry auth: failed to retrieve secret
ID: aws/ecs-task-stopped-resource-memory
85%Fix Rate
88%Confidence
1Evidence
2024-06-20First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| ECS 2024-03-01 | active | — | — | — |
| AWS CLI 2.17.0 | active | — | — | — |
| ECS Agent 1.78.0 | active | — | — | — |
Root Cause
ECS task fails to start because it cannot retrieve a secret from AWS Secrets Manager or Parameter Store due to missing IAM permissions, network restrictions, or incorrect secret ARN.
generic中文
ECS 任务无法启动,因为由于缺少 IAM 权限、网络限制或密钥 ARN 错误,无法从 AWS Secrets Manager 或参数存储中检索密钥。
Official Documentation
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-errors.htmlWorkarounds
-
90% success Attach a policy to the task execution role that grants secretsmanager:GetSecretValue and kms:Decrypt (if using KMS). Example: `aws iam put-role-policy --role-name ecsTaskExecutionRole --policy-name SecretsManagerAccess --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["secretsmanager:GetSecretValue","kms:Decrypt"],"Resource":"arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret-*"}]}'`
Attach a policy to the task execution role that grants secretsmanager:GetSecretValue and kms:Decrypt (if using KMS). Example: `aws iam put-role-policy --role-name ecsTaskExecutionRole --policy-name SecretsManagerAccess --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["secretsmanager:GetSecretValue","kms:Decrypt"],"Resource":"arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret-*"}]}'` -
85% success Ensure the task definition's executionRoleArn is set to a role with the necessary permissions, and that the secret ARN is correct (e.g., arn:aws:secretsmanager:region:account:secret:name-xxxxxx).
Ensure the task definition's executionRoleArn is set to a role with the necessary permissions, and that the secret ARN is correct (e.g., arn:aws:secretsmanager:region:account:secret:name-xxxxxx).
-
80% success Check network connectivity by testing secret retrieval from within the VPC using the AWS CLI in a similar subnet: `aws secretsmanager get-secret-value --secret-id my-secret`.
Check network connectivity by testing secret retrieval from within the VPC using the AWS CLI in a similar subnet: `aws secretsmanager get-secret-value --secret-id my-secret`.
中文步骤
Attach a policy to the task execution role that grants secretsmanager:GetSecretValue and kms:Decrypt (if using KMS). Example: `aws iam put-role-policy --role-name ecsTaskExecutionRole --policy-name SecretsManagerAccess --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["secretsmanager:GetSecretValue","kms:Decrypt"],"Resource":"arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret-*"}]}'`Ensure the task definition's executionRoleArn is set to a role with the necessary permissions, and that the secret ARN is correct (e.g., arn:aws:secretsmanager:region:account:secret:name-xxxxxx).
Check network connectivity by testing secret retrieval from within the VPC using the AWS CLI in a similar subnet: `aws secretsmanager get-secret-value --secret-id my-secret`.
Dead Ends
Common approaches that don't work:
-
90% fail
The same error will occur because the root cause (missing permissions) is not addressed.
-
50% fail
This bypasses Secrets Manager but violates security best practices and may break if the secret rotates.
-
70% fail
If the VPC endpoint is not properly configured (e.g., private DNS not enabled), secret retrieval still fails.