# 已停止（任务中的必需容器已退出）- ResourceInitializationError：无法拉取密钥或注册表认证：检索密钥失败

- **ID:** `aws/ecs-task-stopped-resource-memory`
- **领域:** aws
- **类别:** runtime_error
- **错误码:** `ResourceInitializationError`
- **验证级别:** ai_generated
- **修复率:** 85%

## 根因

ECS 任务无法启动，因为由于缺少 IAM 权限、网络限制或密钥 ARN 错误，无法从 AWS Secrets Manager 或参数存储中检索密钥。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| ECS 2024-03-01 | active | — | — |
| AWS CLI 2.17.0 | active | — | — |
| ECS Agent 1.78.0 | active | — | — |

## 解决方案

1. ```
   Attach a policy to the task execution role that grants secretsmanager:GetSecretValue and kms:Decrypt (if using KMS). Example: `aws iam put-role-policy --role-name ecsTaskExecutionRole --policy-name SecretsManagerAccess --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["secretsmanager:GetSecretValue","kms:Decrypt"],"Resource":"arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret-*"}]}'`
   ```
2. ```
   Ensure the task definition's executionRoleArn is set to a role with the necessary permissions, and that the secret ARN is correct (e.g., arn:aws:secretsmanager:region:account:secret:name-xxxxxx).
   ```
3. ```
   Check network connectivity by testing secret retrieval from within the VPC using the AWS CLI in a similar subnet: `aws secretsmanager get-secret-value --secret-id my-secret`.
   ```

## 无效尝试

- **** — The same error will occur because the root cause (missing permissions) is not addressed. (90% 失败率)
- **** — This bypasses Secrets Manager but violates security best practices and may break if the secret rotates. (50% 失败率)
- **** — If the VPC endpoint is not properly configured (e.g., private DNS not enabled), secret retrieval still fails. (70% 失败率)