- Newest
- Most votes
- Most comments
Thanks for the answers. However it will help me a lot if one could show me how to read the actual error log - which is getting cut off when I look at the task stopped details. Please see how the error is showing up - marked in red: https://imgur.com/a/vhdLQIO It's clipped and incomplete. How to read the complete log message so I can actual drill down on the actual error??
As for the image repository - the container image is present in the ECS repository with URI https://446446443139.dkr.ecr.us-east-1.amazonaws.com/fargate-game-servers:2022-02-16.113828
Check https://imgur.com/a/nZlqSZQ
How do I check if the IAM role for ECS has permissions for pulling the image? Do I check for a particular entry in the IAM policies? My tasks are launched by specific lambda services. Should I check into the AWSServiceRoleForECS for the permissions or the role for the specific lambda service?
The VPC seems to be an internet gateway attached to NAT on route table attached to the VPC. Is there something specific I should look for?
It will be best if I can read the complete error log . Noob. Please help...
CannotPullContainerError would occur if
- Your image does not exist in repository
- Your ECS IAM role does not have permissions to pull the image
- If the image comes from Dockerhub, it could be failing due to rate limiting.
Usually in the console you can see the description of the error that gives you the reason why the CannotPullContainerError exception occurred.
Another reason why Fargate may be unable to pull your container image is due to a networking issue. The subnet in which you place your tasks must have access to the Internet (unless you are building a VPC without Internet access, in which case you must set up VPC Endpoints for Amazon ECR).
First, your VPC must have an Internet Gateway attached.
If you are launching your tasks in a private subnet, make sure you've created a NAT Gateway, and make sure your subnet route table has a default route to the NAT Gateway.
If you are launching your tasks in a public subnet, make sure you have enabled public IP address assignments for your task ENIs (elastic network interfaces). See, for example, step 11 (Networking) in the Creating a Service documentation.
Relevant content
- Accepted Answerasked a year ago
- asked 3 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
The important role here is the Task Execution Role, located in your Task Definition. This Role, which you must create, must have the ability to perform several ECR actions. You can either manually specify a policy document, or you can attach the managed policy
AmazonECSTaskExecutionRolePolicy
to the Role, and this will allow Fargate to pull the container images for you.