Stay up to date with the latest from the Knowledge Center. See all new and updated Knowledge Center articles published in the last month and re:Post’s top contributors.
How can I use Amazon EFS integration to troubleshoot Lambda function invoke issues?
I used Amazon Elastic File System (Amazon EFS) integration to invoke an AWS Lambda function but I received an error message.
Short description
The following configurations are required when you mount Amazon EFS access points with Lambda:
-
The Lambda function's execution role must have the following elasticfilesystem permissions:
elasticfilesystem:ClientMount
elasticfilesystem:ClientWriteNote: elasticfilesystem:ClientWrite isn't required for read-only connections.
-
Your AWS Identify and Access Management (IAM) user must have the elasticfilesystem:DescribeMountTargets permission.
-
The EFS File System security group must allow NFS inbound traffic from the Lambda security group or IP address range.
-
The Lambda security group must allow NFS outbound traffic to the EFS security group or IP address range.
-
The Lambda function and Amazon EFS access points must be in the same AWS Region and Availability Zone.
-
You must define the local mount path when you mount the EFS to Lambda.
Note: The local mount path must start with "/mnt/".
For more information, see How do I use a Lambda function to create the correct Amazon EFS access point configuration to mount my file system?
Resolution
To troubleshoot this Lambda function error, take the following actions.
EFSMountFailureException
The Lambda function couldn't mount the configured EFS file system because of a permission or configuration issue. Check the Lambda functions permissions. Then, confirm that the EFS file system and access point exist and are ready for use.
EFSMountConnectivityException
The Lambda function couldn't use the NFS protocol to make a network connection to the configured EFS file system. Check the security group and routing configuration for the Amazon Virtual Private Cloud (Amazon VPC) subnets.
EFSMountTimeoutException
The Lambda function made the network connection to the configured EFS file system, but the mount operation timed out. Invoke the Lambda function again. If the Lambda function times out again, then limit the functions reserved concurrency to reduce the load volume on the EFS file system.
PermissionError: Permission denied: '/mnt/xyz/abc'
Lambda can't access the specified Amazon EFS access point. To troubleshoot Amazon EFS access points, see What are common EFS access point configurations?
Related information
If you receive an EFSMountFailureException and have checked all of the IAM permissions listed above, check that the root directory in the access point configuration exists. If that directory does not exist, you will not see any errors in CloudTrail and the Lambda error message will simply be the same generic failure as everything else:
The function couldn't mount the Amazon EFS file system with access point arn:aws:elasticfilesystem:… (Service: AWSLambda; Status Code: 403; Error Code: EFSMountFailureException; Request ID: d7a85d64-566b-4e0d-8bc7-511129a91886; Proxy: null)
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 3 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 18 days ago
