Reputation: 74909
Fargate task getting CannotPullContainerError even with NAT gateway defined
I'm getting CannotPullContainerError trying to launch an ECS Fargate task through an AWS Step Function. The docs here say to add a NAT gateway to the subnet. I've done that and still get this error.
I'm using a private subnet, public IP disabled, and have a NAT gateway defined. I have a route table defined to map 0.0.0.0/0 to the NAT Gateway and this route table is associated with the subnet. Associated security group and network ACL allow all outbound traffic. The VPC has DNS resolution enabled.
I've reviewed these related questions:
AWS Fargate - CannotPullContainerError (500)?
Fargate error: cannot pull container hosted in ECR from a private subnet
Fargate Task with Nat Gateway fails to connect with RDS database
Executing Step Function "Tasks" using ECS Fargate
Is there something else I'm missing? I've seen lots of questions here but have already addressed the things mention (usually NAT gateway and route table).
Error:
CannotPullContainerError: Error response from daemon:
Get https://123456789012.dkr.ecr.us-west-2.amazonaws.com/v2/:
net/http: request canceled while waiting for connection
(Client.Timeout exceeded while awaiting headers)"
Hopefully useful information:
subnetId: subnet-015a0400000000
networkInterfaceId: eni-04e50000000
privateIPv4Address: 10.51.17.8-2c
ClusterArn: arn:aws:ecs:us-west-2:951740000000:cluster/step-function-executor
ContainerArn: arn:aws:ecs:us-west-2:951740000000:container/08450000000",
Image: 951740000000.dkr.ecr.us-west-2.amazonaws.com/step-function-image:latest
NetworkBindings: []
NetworkInterfaces:
AttachmentId: 4a3b0000000
PrivateIpv4Address": 10.51.17.8
TaskArn: arn:aws:ecs:us-west-2:951740000000:task/690d0000000
TaskDefinitionArn: arn:aws:ecs:us-west-2:951740000000:task-definition/step-function-xyz
LaunchType: FARGATE
PullStartedAt: 1599440424569
PullStoppedAt: 1599440513569
Route table:
Destination Target
------------- ---------------
10.41.0.0./16 local
0.0.0.0/0 nat-046d0000000
NAT Gateway
Gateway ID: nat-046d0000000
Private IP: 10.51.x.x
Elastic IP Address 52.13.x.x
Upvotes: 0
Views: 547
Answers (1)
Reputation: 74909
In the end the problem was with security groups. I added an existing security group to the AWS Step Function definition and that resolved the problem.
Upvotes: 1
Related Questions
- Launching Fargate Task in private subnet, task being assigned public IP
- Static outbound IP for AWS ECS Fargate task
- Task running in Fargate is not found with public IP address
- ECS Fargate Task Container missing AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
- Fargate Task - Public IP not Assigned
- Cannot talk to another container inside same task on ECS Fargate using awsvpc networking type
- AWS Fargate cannot access dockerized spring boot application over Load balancer/ public IP
- AWS ECS Fargate - Task Not Running
- AWS Fargate Task Debugging, what does "CannotPullContainerError ... invalid reference format" mean?
- Amazon AWS Fargate Task static IP adress