- Newest
- Most votes
- Most comments
Hi Simon,
It looks like this is either an IAM permission or a security group permission. I'd recommend making sure that your ecsTaskExecutionRole has the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
If that doesn't work, try adding those same permissions to your Lambda function's role as well.
You may also need to add this permission to your ecsTaskRole:
{
"Action": "ecr:GetAuthorizationToken",
"Effect": "Allow",
"Resource": "*"
}
If those fail, try checking the security group associated with your Lambda function to make sure it can talk over 443, and if that fails, then check the permissions associated with your ECR repository:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountPullTest",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::ACCOUNT_ID:role/ecsTaskExecutionRoleNAME",
]
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
}
]
}
If all else fails, check out this article here that appears to be similar to your issue: https://stackoverflow.com/questions/61265108/aws-ecs-fargate-resourceinitializationerror-unable-to-pull-secrets-or-registry
Looks like it could be a networking issue with how you're launching your tasks if they don't have internet accessibility to ECR. Hope this helps!
I fixed this by including 'assignPublicIp': 'ENABLED'
to the networkConfiguration
:
response = ecs.run_task( cluster='lighthouse-run-cluster', taskDefinition='lighthouse-run-task-definition:5', launchType='FARGATE', networkConfiguration={ 'awsvpcConfiguration': { 'subnets': [...], 'securityGroups': [...], # # Added the flag below # 'assignPublicIp': 'ENABLED' } } )
I think this is down to a config problem in our sandbox and it shouldn't be needed in production, but it got me moving.
Relevant content
- asked 3 years ago
- asked 3 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 24 days ago
None of this made any difference. Thanks though.