Troubleshooting Amazon ECS ResourceInitializationError errors
The following are some ResourceInitialization
error messages and actions that
you can take to fix the errors.
To check your stopped tasks for an error message using the AWS Management Console, see Viewing Amazon ECS stopped task errors.
Errors
- The task cannot pull registry authentication from Amazon ECR. There is a connection issue between the task and Amazon ECR. Check your task network configuration.
- The task can't download the environment variable files from Amazon S3. There is a connection issue between the task and Amazon S3. Check your task network configuration.
- The task cannot pull secrets from AWS Systems Manager Parameter Store. Check your network connection between the task and AWS Systems Manager.
- The task can’t pull secrets from AWS Secrets Manager. There is a connection issue between the task and Secrets Manager. Check your task network configuration.
- The task can’t pull the secret from Secrets Manager. The task can't retrieve the secret with ARN ‘secretARN' from Secrets Manager. Check whether the secret exists in the specified Region.
- pull command failed: unable to pull secrets or registry auth Check your task network configuration.
- The task cannot find the Amazon CloudWatch log group defined in the task definition. There is a connection issue between the task and Amazon CloudWatch. Check your network configuration.
- failed to initialize logging driver
- failed to invoke EFS utils commands to set up EFS volumes
The task cannot pull registry authentication from Amazon ECR. There is a connection issue between the task and Amazon ECR. Check your task network configuration.
This error indicates that the task can't connect to Amazon ECR.
Check the connection between the task and Amazon ECR. For information, see Verifying Amazon ECS stopped task connectivity.
The task can't download the environment variable files from Amazon S3. There is a connection issue between the task and Amazon S3. Check your task network configuration.
This error occurs when your task can't download your environment file from Amazon S3.
Check the connection between the task and the Amazon S3 VPC endpoint. For information, see Verifying Amazon ECS stopped task connectivity.
The task cannot pull secrets from AWS Systems Manager Parameter Store. Check your network connection between the task and AWS Systems Manager.
This error occurs when your task can't pull the image defined in the task definition using the credentials in Systems Manager.
Check the connection between the task and the Systems Manager VPC endpoint. For information, see Verifying Amazon ECS stopped task connectivity.
The task can’t pull secrets from AWS Secrets Manager. There is a connection issue between the task and Secrets Manager. Check your task network configuration.
This error occurs when your task can't pull the image defined in the task definition using the credentials in Secrets Manager.
The error indicates that there is a network connectivity issue between the Systems Manager VPC endpoint and the task.
For information about how to verify the connectivity between the task and the endpoint, see Verifying Amazon ECS stopped task connectivity.
The task can’t pull the secret from Secrets Manager.
The task can't retrieve the secret with ARN ‘secretARN
'
from Secrets Manager. Check whether the secret exists in the specified
Region.
This error occurs when your task can't pull the image defined in the task definition using the credentials in Secrets Manager.
This issue is caused by one of the following reasons:
Error cause.. | Do this... |
---|---|
Network connectivity issue between the Secrets Manager VPC endpoint and the task. The problem is a network issue when you see any of the following strings in the error message:
|
Verify the connectivity between the task and the Secrets Manager endpoint. For more information, see Verifying Amazon ECS stopped task connectivity. |
The task execution role defined in the task definition doesn't have the permissions for Secrets Manager. |
Add the required permissions for Secrets Manager to the task execution role. For more information, see Secrets Manager or Systems Manager permissions. |
The secret ARN doesn't exist | Check that the ARN exists in Secrets Manager. For information about viewing your images, see Find secrets in Secrets Manager in the Secrets Manager Developer Guide. |
pull command failed: unable to pull secrets or registry auth Check your task network configuration.
This error occurs when your task can't connect to Amazon ECR, Systems Manager, or Secrets Manager. This is due to a misconfiguration in your network.
To fix this issue, verify the connectivty between the task and Amazon ECR. You also need to check connectivity between your task and the service which stores your secret (Systems Manager, or Secrets Manager). For more information, see Verifying Amazon ECS stopped task connectivity.
The task cannot find the Amazon CloudWatch log group defined in the task definition. There is a connection issue between the task and Amazon CloudWatch. Check your network configuration.
This error occurs when your task fails to find the CloudWatch log group you defined in the task definition.
The error indicates that there is a network connectivity issue between the CloudWatch VPC endpoint and the task.
For information about how to verify the connectivity between the task and the endpoint, see Verifying Amazon ECS stopped task connectivity.
failed to initialize logging driver
This error occurs when your task fails to find the CloudWatch log group you defined in the task definition.
The error indicates that the CloudWatch group in the task definition does not exist.
Use the following steps to find the missing CloudWatch.
-
Run the following command to get the task definition information.
aws ecs describe-task-definition \ --task-definition
task-def-name
Look at the output for each container and note the
awslogs-group
value."logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "/ecs/example-group", "awslogs-create-group": "true", "awslogs-region": "us-east-1", "awslogs-stream-prefix": "ecs" },
Verify that the group existis in CloudWatch for more information, see Working with log groups and log streams in the Amazon CloudWatch Logs User Guide.
The issue is either that the group specified in the task definition is incorrect, or the log group does not exist.
-
Fix the issue.
The issue is... Do this... The incorrect log group is specified in the task definition.
Update the task definition to include the log group configuration in the container definition.For information about updating the task definition, see Updating an Amazon ECS task definition using the console or RegisterTaskDefinition in the Amazon Elastic Container Service API Reference. The log group does not exist in CloudWatch Create the log group. For more information, see Create a log group in CloudWatch Logs in the Amazon CloudWatch Logs User Guide.
failed to invoke EFS utils commands to set up EFS volumes
The following issues might prevent you from mounting your Amazon EFS volumes on your asks:
The Amazon EFS file system isn't configured correctly.
The task doesn't have the required permissions.
There are issues related to network and VPC configurations.
For information about how to debug and fix
this issue, see Why can't I mount my Amazon EFS volumes on my AWS Fargate tasks