By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

ECS Fargate Task in EventBridge has ResourceInitializationError

0

I have created an ECS Fargate Task, which I can manually run. It updates a Dynomodb and I get logs.

Now I want this to run on a schedule. I have setup a scheduled ECS task through EventBridge and through the UI in the ECS cluster. However, this does not run.

My looking at the EventBridge logs I can see that the container has been stopped for the following stopped reason:

ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve ecr registry auth: service call has been retried 3 time(s): RequestError: send request failed caused by: Post https://api.ecr....

I thought this might be a problem with permissions. However, I tested giving the Task Execution Role full power user permissions and I still get the same error. Could the problem be something else?

Topics
ServerlessContainersApplication IntegrationSecurity, Identity, & Compliance
Tags
AWS FargateAmazon EventBridgeAmazon Elastic Container ServiceIAM Policies
Language
English
mhairi
asked 2 years ago1677 views
1 Answer
1

There are two roles associated with a Fargate task: The Task Role, and the Task Execution Role.

The Task Execution Role needs all the permissions needed to start the task, including pulling the container image from ECR, obtaining and decrypting any secrets needed to launch the container, and dispatching logs and telemetry data to CloudWatch. The container runtime runs in the Task Execution Role context.

The Task Role, on the other hand, needs all the permissions that are required by the task containers after launch. For example, if your application needs to access S3 or DynamoDB, the Task Role would contain those policies granting access to the application.

So it is important to distinguish those two roles: Task Execution role is used before launch; the Task Role is used after launch. It is possible that you associated the policies with the Task Role instead of the Task Execution role.

AWS
EXPERT
MichaelFischer
answered 2 years ago
  • mhairi
    2 years ago

    Thanks, that's a good suggestion but I have been adding permissions to the Task Execution Role. I tested adding PowerUser permissions to the Task Execution Role, and I still have exactly the same error, so I think it's not a permissions issue.

  • marcus
    2 years ago

    @mhairi, did you get this to work? I'm thinking it is a network issue, but cannot figure it out. thanks

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content