How do I use a Lambda function to create the correct Amazon EFS access point configuration to mount my file system?

3 minute read

I want to use AWS Lambda to create an Amazon Elastic File System (Amazon EFS) access point mount.

Resolution

Prerequisites

The Lambda function's execution role must have elasticfilesystem:ClientMount permission for read and write connections and elasticfilesystem:ClientWrite permission for write-only connections.
Connect the Lambda function to the virtual private cloud (VPC) where you created your file system's mount targets.
Your AWS Identify and Access Management (IAM) user must have elasticfilesystem:DescribeMountTargets permission. For more information, see Configuring a file system and access point.
Allow inbound NFS traffic (port 2049) for the source VPC CIDR in the security group for the EFS file system.

Create an access point with Lambda

To use Lambda to create an access point, see Connecting to a file system (console).

Amazon EFS automatically creates the root directory with configurable ownership and permissions only when you provide the following information:

OwnUid
OwnGID
Permissions for the directory (creation info)

Note: When you set a user or group ID to 0 in the access point, Amazon EFS considers it the root user. For more information, see Creating the root directory for an access point.

Amazon EFS access point configuration examples

The root directory of the access point is /efsaccesspoint. You use the same configuration to mount fs-12345678:/ with the access point as you do to mount fs-12345678:/efsaccesspoint without the access point.

Working configurations

Configuration 1:

Root directory path: /efs ( /efs doesn't exist)
POSIX user: EMPTY
Creation Info: 1000:1000(777)

Configuration 2:

Root directory path: /efs ( /efs doesn't exist)
POSIX user: 1000:1000
Creation Info: 1000:1000 (777,775,755)

Configuration 3:

Root directory path: /efs ( /efs exists)
POSIX user: 1000:1000
Creation Info: EMPTY

Configuration 4:

Root directory path: /efs (/efs doesn't exist)
POSIX user: 0:0
Creation Info: 1000:1000 (755)

Configuration 5:

Root directory path: /efs ( /efs doesn't exist)
POSIX user: 0:0
Creation Info: 1000:1000 (775)

Configuration 6:

Root directory path: /efs ( /efs doesn't exist)
POSIX user: 0:0
Creation Info: 1000:1000 (777)

Non-working configurations

You receive an error message when you use a Lambda function to access Amazon EFS with the following access point configuration:

Root directory path: /efs ( /efs doesn't exist)
POSIX user: 1000:1000
Creation Info: EMPTY

If you require write operations from a Lambda function to an Amazon EFS mounted path, then you must provide POSIX user information. Otherwise, write operations fail with Permission denied errors.

Related information

Working with Amazon EFS access points

Topics

Storage

Relevant content

Cross account efs access point mount on lambda with root path as "/"
Accepted Answer
harbindersingh
asked a year ago
How can lambda mount a file system from a different account
Yan Hrushchynskyi
asked 2 years ago
Why is my EFS File system policy blocking Fargate from mounting the EFS even though it includes the Task Execution Role arn?
Olly
asked 2 years ago
How to mount EFS access point with port forwarding?
dodov
asked 2 years ago
How can I quickly debug a Lambda's failure to mount an EFS access point?
Accepted Answer
AWS-User-4223059
asked a year ago
How can I use Amazon EFS integration to troubleshoot Lambda function invoke issues?
AWS OFFICIALUpdated 8 months ago
How can I use system policies to control access to my EFS file system?
AWS OFFICIALUpdated 9 months ago
Why can't I mount my EFS file system on my EC2 instance?
AWS OFFICIALUpdated 9 months ago
How do I resolve the "Lambda could not update the function's execution role" error when attaching Amazon RDS Proxy to a Lambda function?
AWS OFFICIALUpdated 3 years ago
How do I create an Amazon MSK event source mapping to invoke a Lambda function using a NAT Gateway internet connection?
EXPERT
Hitesh
published 2 months ago