← All articles
AWSECS FargateContainersTroubleshooting

Fix: ECS Fargate Task Stuck in PENDING — the 5 Real Causes

An ECS Fargate task stuck in PENDING almost always comes down to one of five things. Here's how to diagnose and fix each, fast.

By Himanshu Rana·May 28, 2026·2 min read

Your task sits in PENDING and never reaches RUNNING. No application logs, because the container never started. This is one of the most common — and most frustrating — ECS Fargate issues, and it's nearly always one of five root causes.

Work through them in this order.

1. The task can't pull the image

If your task runs in private subnets with no route to ECR, the image pull hangs.

⚠️

Fargate needs network egress to ECR, ECR's S3 backing bucket, and CloudWatch Logs — either via a NAT gateway (public route) or VPC endpoints (private route). Missing one of these is the #1 cause.

Check the stopped-task reason:

aws ecs describe-tasks --cluster my-cluster --tasks <task-id> \
  --query "tasks[0].stoppedReason"

A CannotPullContainerError confirms it. Add the three interface/gateway endpoints: com.amazonaws.<region>.ecr.api, ecr.dkr, logs, plus the S3 gateway endpoint.

2. No public IP, no route out

On a public subnet, a Fargate task needs assignPublicIp: ENABLED to reach the internet at all. Forget it and the pull silently stalls.

aws ecs run-task --network-configuration \
  "awsvpcConfiguration={subnets=[subnet-abc],assignPublicIp=ENABLED}"

3. The task execution role is missing permissions

The execution role (not the task role) pulls the image and writes logs. It needs AmazonECSTaskExecutionRolePolicy. Without it: CannotPullContainerError or a logs-driver failure.

4. No capacity / subnet has no free IPs

awsvpc mode gives every task its own ENI, which consumes a subnet IP. A /28 subnet exhausts fast. Check available IPs and spread tasks across larger subnets.

5. Security group or NACL blocks egress

The task's security group must allow outbound 443. A locked-down NACL or SG that only allows inbound will leave you stuck in PENDING with no obvious error.

The fast diagnostic loop

Always start here — the stopped reason tells you which of the five you're hitting:

aws ecs describe-tasks --cluster my-cluster --tasks <task-id> \
  --query "tasks[0].{last:lastStatus,desired:desiredStatus,reason:stoppedReason}"

Build the mental model once

Most PENDING issues are really networking issues — and they stop being mysterious once you've stood up a Fargate service end to end with the right VPC wiring. The weekend workshop below does exactly that.

Keep reading