ECS/Farget service in the AWS CDK using the default public subnet in the VPC, failed to start the task, which originated from the private ECR container image.


Hi,When I tried to deploy the ECS Fargate service using AWS CDK, I get stuck at the task launch and after A while I get an error:

ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve ecr registry auth: service call has been retried 3 time(s): RequestError: send request failed caused by: Post "": dial tcp i/o timeout. Please check your task network configuration..

Here is my cdk code: ps:I'm not writing** [isDefault: true]** in loopup vpc, because if I write it that way, I'll have two more subnets that I don't know where they came from.


    const vpc = ec2.Vpc.fromLookup(this, "Default VPC", {
        //default vpc id
        vpcId: "vpc-069bd0d6dea52bc66", //The VPC ID shown here is the only VPC in ap-northeast-2

    const publicSubnets = vpc.selectSubnets({
        subnetType: ec2.SubnetType.PUBLIC,
        availabilityZones: ["ap-northeast-2a", "ap-northeast-2b"],

    //The printout here is same as aws console
    publicSubnets.subnets.forEach((subnet) => {
        console.log("==>>subnetId:" + subnet.subnetId + "\n");

    const cluster = new ecs.Cluster(this, "Cluster", {
        clusterName: "DemoClusterForCdk",

    const fargateTaskDefinition = new ecs.TaskDefinition(this, "TaskDefinition-Fargate", {
        compatibility: ecs.Compatibility.FARGATE,
        cpu: "256",
        memoryMiB: "512",
        networkMode: ecs.NetworkMode.AWS_VPC,

    fargateTaskDefinition.addContainer("FargateTaskContainer", {
        //private repository
        image: ecs.ContainerImage.fromEcrRepository(
        portMappings: [{ containerPort: 80 }],

    const fargateService = new ecs.FargateService(this, "DemoFargateService", {
        taskDefinition: fargateTaskDefinition,
        desiredCount: 2,
        serviceName: "DemoFargateService",
        vpcSubnets: { subnets: publicSubnets.subnets },

    const alb = new elbv2.ApplicationLoadBalancer(this, "DemoALB", {
        internetFacing: true,
        ipAddressType: elbv2.IpAddressType.IPV4,
        vpcSubnets: publicSubnets,

    const listener = alb.addListener("DemoListener", {
        port: 80,
        protocol: elbv2.ApplicationProtocol.HTTP,

    listener.addTargets("DemoTarget", {
        port: 80,
        protocol: elbv2.ApplicationProtocol.HTTP,
        targets: [fargateService],


During deployment, the startup task will continue to be retried, and of course, it will continue to fail.

Why is this? The subnet is public.

asked 6 months ago239 views
1 Answer
Accepted Answer

Even though it’s a public subnet please ensure assign Public IP address to the ECS service is set to true.

If it’s not then it will only have a private IP address and can’t reach the internet or AWS services.

In const fargateService Add assignPublicIp : true

profile picture
answered 5 months ago
  • It worked. Thank you.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions