# STOPPED (Essential container in task exited) - ResourceInitializationError: unable to pull secrets or registry auth: failed to retrieve secret - **ID:** `aws/ecs-task-stopped-resource-memory` - **Domain:** aws - **Category:** runtime_error - **Error Code:** `ResourceInitializationError` - **Verification:** ai_generated - **Fix Rate:** 85% ## Root Cause ECS task fails to start because it cannot retrieve a secret from AWS Secrets Manager or Parameter Store due to missing IAM permissions, network restrictions, or incorrect secret ARN. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | ECS 2024-03-01 | active | — | — | | AWS CLI 2.17.0 | active | — | — | | ECS Agent 1.78.0 | active | — | — | ## Workarounds 1. **Attach a policy to the task execution role that grants secretsmanager:GetSecretValue and kms:Decrypt (if using KMS). Example: `aws iam put-role-policy --role-name ecsTaskExecutionRole --policy-name SecretsManagerAccess --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["secretsmanager:GetSecretValue","kms:Decrypt"],"Resource":"arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret-*"}]}'`** (90% success) ``` Attach a policy to the task execution role that grants secretsmanager:GetSecretValue and kms:Decrypt (if using KMS). Example: `aws iam put-role-policy --role-name ecsTaskExecutionRole --policy-name SecretsManagerAccess --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["secretsmanager:GetSecretValue","kms:Decrypt"],"Resource":"arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret-*"}]}'` ``` 2. **Ensure the task definition's executionRoleArn is set to a role with the necessary permissions, and that the secret ARN is correct (e.g., arn:aws:secretsmanager:region:account:secret:name-xxxxxx).** (85% success) ``` Ensure the task definition's executionRoleArn is set to a role with the necessary permissions, and that the secret ARN is correct (e.g., arn:aws:secretsmanager:region:account:secret:name-xxxxxx). ``` 3. **Check network connectivity by testing secret retrieval from within the VPC using the AWS CLI in a similar subnet: `aws secretsmanager get-secret-value --secret-id my-secret`.** (80% success) ``` Check network connectivity by testing secret retrieval from within the VPC using the AWS CLI in a similar subnet: `aws secretsmanager get-secret-value --secret-id my-secret`. ``` ## Dead Ends - **** — The same error will occur because the root cause (missing permissions) is not addressed. (90% fail) - **** — This bypasses Secrets Manager but violates security best practices and may break if the secret rotates. (50% fail) - **** — If the VPC endpoint is not properly configured (e.g., private DNS not enabled), secret retrieval still fails. (70% fail)