When trying to launch the "keycloak-from-existing-vpc" in a region that uses Fargate 1.4.0, the ECS Cluster gets stuck trying to create. Digging in to the resource, it continuously tries to run the configured tasks, and fails because:

ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to get registry auth from asm: service call has been retried 5 time(s): asm fetching secret from the service for ...

I have tried making the many possible changes to my existing VPC suggested in this thread with no success, including adding a Secrets Manager endpoint to my VPC, trying both public and private subnets, opening additional ports on related security groups, and even modifying you template to assign public IPs to the ECS Tasks.

Which region do u use?

us-east-1

Hi @seth-xdam

1. Can you try deploy it in a new VPC. Does it work in your account in us-east-1?
2. In terms of your exiting VPC - does it have public subnets and private subnets with NAT Gateway to the public internet?

I'm us-east-2 and and I'm getting the exact same error using the keycloak-aurora-serverless-from-existing-vpc.template.
I also tried it with the keycloak-from-existing-vpc template and same thing, it always hangs on the ECS Service creation

After googling the error it seemed to be related to changes AWS made in Fargate 1.4.0, so I downloaded your template and specified version 1.3.0 but it didn't help. Our VPC is a very simple, default setup, we're not doing anything special or unusual but I'm happy to help you troubleshoot. Its unfortunate that you took all the time to put this full example together and its not working so I'm guessing its something minor that needs to be tweaked.

I'd really like to get this working because setting it all up manually is going to be a real pain. Is there anyway we can short circuit the secrets thing where I set that part up manually in advance and modify the template accordingly?