AWS ECS Fargate Platform 1.4 error ResourceInitializationError: unable to pull secrets or registry auth: execution resource

Question

I am using docker containers with secrets on ECS, without problems. After moving to fargate and platform 1.4 for efs support i start getting the following error.

Any help please?

ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secret from asm: service call has been retried 1 time(s): secret arn:aws:secretsmanager:eu-central-1:.....

Provide more information please. Does the ECS IAM execution role have access to the secrets? — Mark B, May 01 '20 at 14:40
I added endpoint to my vpc for log/ecs/secretmanager but still no luck. — Rob Daalman, May 04 '20 at 07:12
The ecs iam role seems to be correct, it can be used for ecs ec2 service, where i can get my secret form the secret manager. So rights seems to be ok. — Rob Daalman, May 04 '20 at 07:13

score 4 · Answer 1 · answered May 07 '21 at 11:15

Here's a checklist:

If your ECS tasks are in a public subnet (0.0.0.0/0 routes to Internet Gateway) make sure your tasks can call the "public" endpoint for Secrets Manager. Basically, outbound TCP/443.
If your ECS tasks are in a private subnet, make sure that one of the following is true: (a) your instances need to connect to the Internet through a NAT gateway (0.0.0.0/0 routes to NAT gateway) or (b) you have an AWS PrivateLink endpoint to secrets manager connected to your VPC (and to your subnets)
If you have an AWS PrivateLink connection, make sure the associated Security Group has inbound access from the security groups linked to your ECS tasks.
Make sure you have set GetSecretValue IAM permission to the ARN(s) of the secrets manager entry(or entries) set in the ECS "tasks role".

Edit: Here's another excellent answer - https://stackoverflow.com/a/66802973

Thank you. The first point is what solved it for me. It wasn't really obvious ECS tries to reach to Secrets Manager so that makes sense. — squeekyDave, Apr 04 '23 at 20:44
THANK YOU for pointing me in the right direction! I had an ECS task in a public subnet, with a sec group configured to allow ALL egress traffic, and still could not pull secrets from ASM/SSM. Turned out the fix was to allow INGRESS traffic on 443 to the ECS service/task, for...some reason. — EvanK, Apr 10 '23 at 23:46

score 0 · Answer 2 · edited Mar 25 '22 at 00:50

I had the same error message, but the checklist above misses the cause of my problem. If you are using VPC endpoints to access AWS services (ie, secretsmanager, ecr, SQS, etc) then those endpoints MUST permit access to the security group that is associated with the VPC subnet that your ECS instance is running in.

Another watchit is, if you are using EFS to host volumes, ensure that your volumes can be mounted by the same security group identified above. Go to EFS, select the appropriate file system, Network tab, then Manage.

AWS ECS Fargate Platform 1.4 error ResourceInitializationError: unable to pull secrets or registry auth: execution resource

2 Answers2