Network misconfigurations are the most common cause of issues. See access requirements first.
Symptoms: ROLLBACK_COMPLETE or ROLLBACK_IN_PROGRESS with errors like Parameter validation failed: parameter value for EC2RunnerInstancesSubnet does not exist.
Fix: Ensure you select a VPC, at least one availability zone, and subnets across multiple AZs.
Runner task fails
Symptoms:
CREATE_FAILED with ECS Deployment Circuit Breaker was triggeredResourceInitializationError in task logs- Cannot pull images or access AWS services
Fix:
- Verify VPC has Internet Gateway or NAT Gateway
- Update route tables (public → IGW, private → NAT)
- For private subnets, add VPC endpoints for Secrets Manager, S3, ECR
- Check security groups allow outbound HTTPS
Instance type not available
Symptoms: Error like “m6i.xlarge is not available in us-east-1e”
Fix:
Unexpected costs
Symptoms: Unexpected AWS charges, or continued billing after deleting a runner.
Fix:
- See managing costs to identify resources
- After deleting a runner, verify the CloudFormation stack is fully deleted
- Check for residual EC2 instances or EBS volumes and delete manually
SSM access blocked
Symptoms:
- Environments fail with
AWS account policy blocks ssm:SendCommand
- Runner marked as degraded
- Slow startup (cache credentials can’t refresh)
Cause: Service Control Policies (SCPs) blocking SSM access. The runner needs ssm:SendCommand and ssm:GetCommandInvocation permissions.
Fix: Request your AWS administrator add an exception for the runner’s IAM role:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["ssm:SendCommand", "ssm:GetCommandInvocation"],
"Resource": ["arn:aws:ec2:*:*:instance/*", "arn:aws:ssm:*:*:command/*"]
}]
}
Prebuilds fail due to policy restrictions
Symptoms:
- Prebuilds fail with
AWS Service Control Policy blocks ec2:CreateSnapshot
- Prebuilds fail with
AWS IAM policy does not allow ec2:CreateSnapshot
- Similar errors for
ec2:RegisterImage, ec2:DescribeSnapshots, or ec2:DescribeImages
Cause: Prebuilds require creating EBS snapshots and AMIs. These operations can be blocked by:
- Service Control Policies (SCPs) - Organization-level policies that deny EC2 snapshot/AMI actions
- IAM policies - The runner’s IAM role is missing required permissions (outdated CloudFormation stack)
Fix for SCP restrictions
Request your AWS administrator to allow these actions for the runner’s IAM role in the SCP:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot",
"ec2:RegisterImage",
"ec2:DescribeSnapshots",
"ec2:DescribeImages",
"ec2:DeleteSnapshot",
"ec2:DeregisterImage"
],
"Resource": "*"
}]
}
Fix for IAM policy restrictions
Update your CloudFormation stack to the latest version. The latest stack template includes all required IAM permissions for prebuilds.
Custom CA certificate issues
The ca-trust-init container in the Runner’s ECS task logs can help diagnose CA issues. Check its Status (it should show STOPPED with exit code 0) and its Logs for errors and warnings.
Environment stops shortly after starting
Symptoms: Environment starts but stops within seconds. No error is visible in the Ona dashboard.
Cause: The environment instance failed to download or parse the CA bundle. The instance shuts down when this fails.
Fix:
- Verify the CA bundle source (S3 bucket or HTTPS URL) is accessible from the runner’s VPC
- For S3 URLs, ensure the bucket name starts with
gitpod- — the runner’s IAM role only has access to buckets matching gitpod-*
- Confirm the S3 object exists and the path in the
CustomCATrustBundle parameter is correct
- Verify the CA bundle is valid PEM — the
-----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- delimiters must each be on their own line
- Verify the CA bundle does not contain invalid content, such as displaying metadata before
-----BEGIN CERTIFICATE-----
User data is limited to 16384 bytes
Symptoms: Environment creation fails with "User data is limited to 16384 bytes"
Cause: The CustomCATrustBundle CloudFormation parameter uses an SSM dynamic reference ({{resolve:ssm:...}}), which embeds the full PEM certificate content into EC2 user data. CA bundles with multiple certificates exceed the 16 KB AWS limit.
Fix: Switch to an S3 URL for the trust bundle:
- Create an S3 bucket with a name starting with
gitpod- (e.g. gitpod-myorg)
- Upload your CA bundle to
s3://gitpod-myorg/shared/ca-bundle.pem
- Update the
CustomCATrustBundle CloudFormation parameter to s3://gitpod-myorg/shared/ca-bundle.pem
- Update the CloudFormation stack
See Custom CA Certificate for details on all supported formats.
CA not trusted in devcontainer builds
Symptoms: Devcontainer image builds or feature installs fail with TLS certificate errors, even though the custom CA works for other operations.
Cause: Custom CA certificates are applied to the runner and environment host but not injected into devcontainer build phases. Docker builds run in an isolated context that does not inherit the host’s CA trust store.
Fix: Add your CA certificates directly to your devcontainer image:
COPY my-ca-bundle.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates
Network connectivity issues
Checklist:
- Security groups: port 29222 (SSH), outbound HTTPS, port 22999 (internal)
- Route tables: public subnets → IGW, private subnets → NAT
- Network ACLs: not blocking required traffic
- DNS: VPC DNS resolution enabled, can resolve
app.gitpod.io
Test connectivity:
# Health endpoint (should return 200)
curl -v https://<your-domain>/_health
# Required endpoints
curl -I https://app.gitpod.io
curl -I https://public.ecr.aws
Restart runner after network changes
After changing security groups, route tables, or VPC endpoints, restart the runner:
Console: ECS console → Clusters → your cluster → Services → Update → check Force new deployment
CLI:
aws ecs update-service --cluster YOUR_CLUSTER_NAME --service YOUR_SERVICE_NAME --force-new-deployment
Getting help
Use the support chat (bubble icon in bottom-right). Include:
- Runner ID and version (from Settings → Runners →
... menu)
- CloudFormation stack name and region
- Runner logs from CloudWatch (ECS task logs)
