{
  "id": "aws/ecs-task-stopped-resource-memory",
  "signature": "STOPPED (Essential container in task exited) - ResourceInitializationError: unable to pull secrets or registry auth: failed to retrieve secret",
  "signature_zh": "已停止（任务中的必需容器已退出）- ResourceInitializationError：无法拉取密钥或注册表认证：检索密钥失败",
  "regex": "STOPPED \\(Essential container in task exited\\) - ResourceInitializationError: unable to pull secrets or registry auth: failed to retrieve secret",
  "domain": "aws",
  "category": "runtime_error",
  "subcategory": null,
  "root_cause": "ECS task fails to start because it cannot retrieve a secret from AWS Secrets Manager or Parameter Store due to missing IAM permissions, network restrictions, or incorrect secret ARN.",
  "root_cause_type": "generic",
  "root_cause_zh": "ECS 任务无法启动，因为由于缺少 IAM 权限、网络限制或密钥 ARN 错误，无法从 AWS Secrets Manager 或参数存储中检索密钥。",
  "versions": [
    {
      "version": "ECS 2024-03-01",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "AWS CLI 2.17.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "ECS Agent 1.78.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "The same error will occur because the root cause (missing permissions) is not addressed.",
      "fail_rate": 0.9,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "This bypasses Secrets Manager but violates security best practices and may break if the secret rotates.",
      "fail_rate": 0.5,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "If the VPC endpoint is not properly configured (e.g., private DNS not enabled), secret retrieval still fails.",
      "fail_rate": 0.7,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Attach a policy to the task execution role that grants secretsmanager:GetSecretValue and kms:Decrypt (if using KMS). Example: `aws iam put-role-policy --role-name ecsTaskExecutionRole --policy-name SecretsManagerAccess --policy-document '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"secretsmanager:GetSecretValue\",\"kms:Decrypt\"],\"Resource\":\"arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret-*\"}]}'`",
      "success_rate": 0.9,
      "how": "Attach a policy to the task execution role that grants secretsmanager:GetSecretValue and kms:Decrypt (if using KMS). Example: `aws iam put-role-policy --role-name ecsTaskExecutionRole --policy-name SecretsManagerAccess --policy-document '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"secretsmanager:GetSecretValue\",\"kms:Decrypt\"],\"Resource\":\"arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret-*\"}]}'`",
      "condition": "",
      "sources": []
    },
    {
      "action": "Ensure the task definition's executionRoleArn is set to a role with the necessary permissions, and that the secret ARN is correct (e.g., arn:aws:secretsmanager:region:account:secret:name-xxxxxx).",
      "success_rate": 0.85,
      "how": "Ensure the task definition's executionRoleArn is set to a role with the necessary permissions, and that the secret ARN is correct (e.g., arn:aws:secretsmanager:region:account:secret:name-xxxxxx).",
      "condition": "",
      "sources": []
    },
    {
      "action": "Check network connectivity by testing secret retrieval from within the VPC using the AWS CLI in a similar subnet: `aws secretsmanager get-secret-value --secret-id my-secret`.",
      "success_rate": 0.8,
      "how": "Check network connectivity by testing secret retrieval from within the VPC using the AWS CLI in a similar subnet: `aws secretsmanager get-secret-value --secret-id my-secret`.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "Attach a policy to the task execution role that grants secretsmanager:GetSecretValue and kms:Decrypt (if using KMS). Example: `aws iam put-role-policy --role-name ecsTaskExecutionRole --policy-name SecretsManagerAccess --policy-document '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"secretsmanager:GetSecretValue\",\"kms:Decrypt\"],\"Resource\":\"arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret-*\"}]}'`",
    "Ensure the task definition's executionRoleArn is set to a role with the necessary permissions, and that the secret ARN is correct (e.g., arn:aws:secretsmanager:region:account:secret:name-xxxxxx).",
    "Check network connectivity by testing secret retrieval from within the VPC using the AWS CLI in a similar subnet: `aws secretsmanager get-secret-value --secret-id my-secret`."
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-errors.html",
  "official_doc_section": null,
  "error_code": "ResourceInitializationError",
  "verification_tier": "ai_generated",
  "confidence": 0.88,
  "fix_success_rate": 0.85,
  "resolvable": "true",
  "first_seen": "2024-06-20",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}