[Prisma Cloud] Getting Error "Failed to generate fargate task... does not have an entrypoint defined..." when deploying defender for ECS Fargate
964
Created On 01/25/24 07:27 AM - Last Modified 02/05/25 18:26 PM
Symptom
- On Prisma Cloud Console, you get the error Failed to generate fargate task... does not have an entrypoint defined... when generating a protected task definition for ECS Fargate.
Environment
- Prisma Cloud Compute
- Prisma Cloud Runtime Security
- ECS Fargate
- App-embedded Defender
Cause
- The container(s) inside unprotected task definition does not contain Entry-point or contains an empty Entrypoint such as:
"entryPoint": [],
- This is common and a valid task definition, as the entry-point is embedded inside the image of the container.
Resolution
- Download(e.g. docker pull) the image(s) used in the task definition. (You should be able to find the image name/path like below:
"image": "xxxxxxxx.dkr.ecr.us-west-2.amazonaws.com/aaa/bbb/ddd:v1",
(Note: If you have multiple containers inside a task definition, you need to repeat the steps for all of the containers which has empty/missing entry-point) - Use below command to get more detail regarding this the image you downloaded from Step 1(Remember to replace <Image ID>):
docker image inspect <Image ID>
- From the output of Step 2, look for Entrypoint under ContainerConfig. For example:
- Copy the whole value of Entrypoint from Step 3(E.g. from above pic, you should copy ["docker-entrypoint.sh"], and then replace the value of the entryPoint on your unprotected task definition
- (If applicable) Repeat Step 1 ~ 4 if your unprotected task definition contains multiple containers which has empty/missing entry-point.
- Paste the modified task definition to Prisma Cloud Console and click "Generate protected task" and it will work without error.
Additional Information
- How to pull an image from Amazon ECR:
- You can also try Automatically extract entrypoint feature, if your registry can be scanned by Prisma Cloud)