ResourceInitializationError
aws
runtime_error
ai_generated
true
已停止(任务中的必需容器已退出)- ResourceInitializationError:无法拉取密钥或注册表认证:检索密钥失败
STOPPED (Essential container in task exited) - ResourceInitializationError: unable to pull secrets or registry auth: failed to retrieve secret
ID: aws/ecs-task-stopped-resource-memory
85%修复率
88%置信度
1证据数
2024-06-20首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| ECS 2024-03-01 | active | — | — | — |
| AWS CLI 2.17.0 | active | — | — | — |
| ECS Agent 1.78.0 | active | — | — | — |
根因分析
ECS 任务无法启动,因为由于缺少 IAM 权限、网络限制或密钥 ARN 错误,无法从 AWS Secrets Manager 或参数存储中检索密钥。
English
ECS task fails to start because it cannot retrieve a secret from AWS Secrets Manager or Parameter Store due to missing IAM permissions, network restrictions, or incorrect secret ARN.
官方文档
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-errors.html解决方案
-
Attach a policy to the task execution role that grants secretsmanager:GetSecretValue and kms:Decrypt (if using KMS). Example: `aws iam put-role-policy --role-name ecsTaskExecutionRole --policy-name SecretsManagerAccess --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["secretsmanager:GetSecretValue","kms:Decrypt"],"Resource":"arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret-*"}]}'` -
Ensure the task definition's executionRoleArn is set to a role with the necessary permissions, and that the secret ARN is correct (e.g., arn:aws:secretsmanager:region:account:secret:name-xxxxxx).
-
Check network connectivity by testing secret retrieval from within the VPC using the AWS CLI in a similar subnet: `aws secretsmanager get-secret-value --secret-id my-secret`.
无效尝试
常见但无效的做法:
-
90% 失败
The same error will occur because the root cause (missing permissions) is not addressed.
-
50% 失败
This bypasses Secrets Manager but violates security best practices and may break if the secret rotates.
-
70% 失败
If the VPC endpoint is not properly configured (e.g., private DNS not enabled), secret retrieval still fails.