How do I troubleshoot Amazon ECS tasks for Fargate that are stuck in the Pending state?
4 minute read
My Amazon Elastic Container Service (Amazon ECS) task that's running on AWS Fargate is stuck in the PENDING state.
Check what routes to the internet your subnets are using
For Fargate tasks in a public subnet:
Verify that your Fargate task has an assigned public IP address and a default route (0.0.0.0/0) to an internet gateway. To do this, select the Enable auto-assign public IPv4 address check box when you launch your task or create a new service. For more information, see Public IPv4 addresses.
Note: You can't select the Enable auto-assign public IPv4 address check box for existing tasks or services.
For Fargate tasks in a private subnet:
Verify that your Fargate task has a default route (0.0.0.0/0) to either a NAT gateway, AWS PrivateLink, or another source of internet connectivity.
While using PrivateLink, confirm that the security groups for your VPC endpoints allow the Fargate infrastructure to use these security groups.
Check your AWS Identity and Access Management (IAM) roles and permissions
The task execution role grants the Amazon ECS container and Fargate agents permission to make AWS API calls on your behalf. This role is required by Fargate when you:
Pull a container image from Amazon Elastic Container Registry (Amazon ECR)
Use the awslogs log driver
Use private registry authentication
Reference sensitive data using Secrets Manager secrets or AWS Systems Manager Parameter Store parameters
If your use case involves any of the preceding scenarios, confirm that you have the right permissions defined in your task execution role. For a complete list of required permissions, see Amazon ECS task execution IAM role.
When using a VPC in dual-stack mode with Fargate, you can configure your VPC with an internet gateway or an outbound-only internet gateway for tasks that are assigned an IPv6 address to access the internet. For more information, see Using a VPC in dual-stack mode.
Note: To troubleshoot your issue, you can also use Amazon ECS Exec to retrieve the logs from the container instance of your task or service.
Container dependency is defined
A container dependency that's defined in the Task Definition can lead to the Fargate task to be in PENDING state indefinitely. Example: If containerA depends on certain state of containerB, containerA is expected to stay in PENDING state until the containerB reaches that state. But if containerB never reaches the desired state, then the task stays in PENDING state indefinitely. Be sure that you have the dependencies appropriately or evaluate the dependencies.