By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

What principal do I need to mount EFS volume in Fargate task

0

I have an EFS file system policy below[2]. Using the principal of AWS:* allows my Fargate task to mount the file system. I'd like to tighten up the principal but can't figure out what works. Going off some documentation here, I've tried[1] principals similar to the examples (with my account ID substituted) but the task fails to start with errors like unsuccessful EFS utils command execution; code: 32. I don't get if the error is coming from missing taskRole/taskExecutionRole policies, or rather something missing for the Fargate service/cluster/assumed role itself.

Do I need to add a Role Session principal (since Fargate is assuming my role at some point to launch the task) and if so how do I find out what that is?

Secondly, is there any better way to debug errors like these than just burn-and-learn? All I have in Cloudtrail is stuff like "Trying something, something failed, obscure error #"

[1]

"Principal": { "AWS": "arn:aws:iam::123456789012:root" }
"Principal": { "AWS": "123456789012" }

[2] EFS policy

{
    "Version": "2012-10-17",
    "Id": "my-app-efs-pol",
    "Statement": [
        {
            "Sid": "my-app-efs-pol-sid",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:ClientRootAccess",
                "elasticfilesystem:DescribeMountTargets"
            ],
            "Resource": "arn:aws:elasticfilesystem:us-east-1:<myaccount_id>:file-system/fs-<filesystemid>",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "true",
                    "elasticfilesystem:AccessedViaMountTarget": "true"
                }
            }
        }
    ]
}
Topics
StorageServerlessContainersSecurity, Identity, & Compliance
Tags
Amazon Elastic File SystemAWS FargateIAM Policies
Language
English
0x90
asked 2 years ago869 views
2 Answers
1

See following blog post: https://aws.amazon.com/blogs/containers/developers-guide-to-using-amazon-efs-with-amazon-ecs-and-aws-fargate-part-2/ The trick is, to enable IAM authorization for the ECS volume integration.

When this is enabled, the ECS cluster can be identified by the EFS volume and you can define the EFS task role as principal in the EFS file system policy.

AWS
kunzt
answered a year ago
0

Can you try, for number 1. https://docs.amazonaws.cn/en_us/efs/latest/ug/access-control-overview.html

    "elasticfilesystem:CreateFileSystem",
    "elasticfilesystem:CreateMountTarget"

On number 2, try this: https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-permission-errors/

profile pictureAWS
Roly
answered 2 years ago
  • 0x90
    2 years ago

    I added "elasticfilesystem:CreateMountTarget" to the EFS policy OK, but adding "elasticfilesystem:CreateFileSystem" generates "Invalid policy" error in the File System Policy tab. Both of those links are quite broad. For instance "Mounting with IAM authorization", in your second link, demos how to specify an IAM role using sudo at the command line. That might help for debugging, but I'm not clear how to limit access by IAM role instead of just "AWS": "*"

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content