Fargate task stuck in PENDING state due to missing IAM role permissions

ruthengineer · August 29, 2025, 8:16pm

I’m trying to deploy a Fargate task but it’s stuck in PENDING state and never transitions to RUNNING. The task definition references a private ECR repository for the container image. When I check the stopped tasks, I see the error “CannotPullContainerError: pull image manifest has been retried 5 times”.

I’ve verified the image exists in ECR and I can pull it manually using docker login with ECR credentials. The task execution role has the AmazonECSTaskExecutionRolePolicy attached. Here’s what my task definition looks like:


"executionRoleArn": "arn:aws:iam::123456789:role/ecsTaskExecutionRole",
"containerDefinitions": [{
  "image": "123456789.dkr.ecr.us-east-1.amazonaws.com/my-app:latest"
}]

I’m not sure what’s wrong with the IAM setup. The role has the AWS managed policy, so shouldn’t that be enough for ECR access?

angela_coder · August 31, 2025, 6:24am

The AmazonECSTaskExecutionRolePolicy should cover ECR access, but there might be additional restrictions. Check if your ECR repository has a repository policy that restricts access. Also, make sure your task execution role’s trust policy allows ecs-tasks.amazonaws.com to assume it. Sometimes the trust relationship gets misconfigured during role creation.

amandalead · September 15, 2025, 9:14am

Make sure you’re also checking CloudWatch Logs for the actual error messages. Enable logging in your task definition with awslogs driver, and you’ll get more detailed error messages that can point to exactly what permission is missing. The generic CannotPullContainerError doesn’t always tell the full story, especially when KMS or cross-account access is involved.

brandon_guru · August 31, 2025, 2:16pm

I ran into this exact issue last month. The problem was that my ECR repository was encrypted with a custom KMS key, and the task execution role didn’t have permissions to use that key. If you’re using KMS encryption on your ECR repo, you need to add kms:Decrypt permissions to the execution role for the specific KMS key. Check your ECR repository encryption settings in the console.

davidlead · September 15, 2025, 1:05am

You need to add an inline policy to your task execution role that grants kms:Decrypt permission for your specific KMS key. Also check the KMS key policy itself - it needs to allow the IAM role to use it. Sometimes the key policy is locked down and you need to update both sides. The role policy alone isn’t enough if the key policy explicitly denies access.

charlesbuilder · September 1, 2025, 1:15am

Good catch Kevin! I checked and yes, the ECR repository is using a custom KMS key for encryption. I didn’t realize that required additional IAM permissions beyond the standard execution role policy. How do I add those KMS permissions to the role?

charlesbuilder · September 16, 2025, 1:11pm

Let me provide a comprehensive solution since this involves multiple IAM components that all need to align correctly.

IAM Execution Role Setup: Your task execution role needs three key permission sets. First, verify the trust policy allows ECS to assume the role:

{
  "Effect": "Allow",
  "Principal": {"Service": "ecs-tasks.amazonaws.com"},
  "Action": "sts:AssumeRole"
}

ECR Image Permissions: The AWS managed policy AmazonECSTaskExecutionRolePolicy covers basic ECR access, but if you’re using KMS encryption (which you are), add this inline policy:

{
  "Effect": "Allow",
  "Action": ["kms:Decrypt", "kms:DescribeKey"],
  "Resource": "arn:aws:kms:us-east-1:123456789:key/your-key-id"
}

KMS Key Policy Configuration: Your KMS key policy must also allow the execution role. Edit the key policy to include:

{
  "Sid": "AllowECSTaskExecution",
  "Effect": "Allow",
  "Principal": {"AWS": "arn:aws:iam::123456789:role/ecsTaskExecutionRole"},
  "Action": ["kms:Decrypt", "kms:DescribeKey"],
  "Resource": "*"
}

Task Definition Configuration: Ensure your task definition properly references the execution role and includes logging for troubleshooting:

"executionRoleArn": "arn:aws:iam::123456789:role/ecsTaskExecutionRole",
"containerDefinitions": [{
  "logConfiguration": {
    "logDriver": "awslogs",
    "options": {
      "awslogs-group": "/ecs/my-app",
      "awslogs-region": "us-east-1"
    }
  }
}]

Verification Checklist:

Confirm execution role has AmazonECSTaskExecutionRolePolicy attached
Add KMS decrypt permissions to execution role (inline policy)
Update KMS key policy to allow execution role
Verify ECR repository policy doesn’t restrict the role
Check that image URI in task definition is correct and includes full path
Enable CloudWatch Logs to see detailed error messages

Common Issues:

Cross-account ECR access requires additional repository policies
VPC endpoints for ECR must be configured if using private subnets without NAT
Image tag must exist (“latest” might not be present)
Region mismatch between ECR repository and Fargate task

After updating both the IAM role policy and KMS key policy, create a new task definition revision and launch a new task. The PENDING state should resolve within 30-60 seconds if permissions are correct. Monitor the stopped tasks section - if it still fails, the error message should now be more specific about what’s missing.

The key insight here is that KMS-encrypted ECR repositories require bidirectional permission grants: the IAM role needs KMS permissions, AND the KMS key policy must allow the role. Both must be configured or image pulls will fail.

Topic		Replies	Views
EFS mount fails on ECS containers, causing ALB health check failures and service instability Amazon Web Services (AWS) question , storage , networking , aws-2019 , ecs , nfs , health-checks , efs , mount-fail	5	0	March 30, 2025
Automated compliance pipeline deployment fails in cloud environment MasterControl Quality Excellence question , compliance , cloud-deployment , deployment-automation , devops-deployment , iam-permissions , mc-2022-1 , gitlab-ci-cd , artifact-storage	6	0	March 17, 2025
Security group egress rules block ECS task containers from accessing external APIs Amazon Web Services (AWS) question , compute , networking , security , aws-2019 , security-groups , ecs , nat-gateway , egress-rules	3	0	January 1, 2025
IAM policy blocks Athena query access to S3 bucket: AccessDenied error when running analytics workloads Amazon Web Services (AWS) question , analytics , security , aws-2019 , json , s3 , access-denied , athena , iam-policy	6	0	September 23, 2025
IAM policy blocks Athena query access to S3 bucket: AccessDenied errors on analytics jobs Amazon Web Services (AWS) question , analytics , security , aws-2019 , json , s3 , access-denied , bucket-policy , athena	6	1	June 14, 2025
IAM policy blocks cross-account access to KMS-encrypted S3 bucket for data export jobs Amazon Web Services (AWS) question , security , devops-auto , iam , aws-2019 , json , s3 , access-denied , kms	5	1	September 12, 2025
Access denied error when Greengrass v2 component loads ML model from S3 AWS IoT question , security-policy , python , access-denied , iam-role , gg-v2 , greengrass-component , analytics-ml , s3-permissions	3	0	May 16, 2025
CloudWatch dashboard metrics not updating after ECS service deployment with custom metrics Amazon Web Services (AWS) question , devops-auto , iam , metrics , observability , aws-2020 , json , ecs , monitoring-gap	3	0	December 6, 2024
Container pod fails to pull image from OCI Registry due to IAM policy misconfiguration (403 Access Denied) Oracle Cloud question , security , kubernetes , oci-2021 , access-denied , iam-policy , container-servi , oci-registry , dynamic-groups	4	0	June 1, 2025

Fargate task stuck in PENDING state due to missing IAM role permissions

Related topics