I have an ECS service which is of Launch Type EC2 owned by an AWS account A. Our IT team has created an FSx storage owned by an AWS Account B -
see simple diagram here
When I try to launch tasks I get this error in the Stopped reason section of the task:
Stopped reason
Fsx describing filesystem(s) from the service for [fs-0c52aba0aac20c744]: FileSystemNotFound: File system 'fs-0c52aba0aac20c744' does not exist.
I have attached those 2 policies to the EC2 (container host) instance:
- AmazonFSxReadOnlyAccess (AWS Managed)
- fsx_mount (Customer Managed)
fsx_mount:
{
"Statement": [
{
"Action": [
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:us-west-2:111111111111:secret:dev/rushmore/ad-account-NKOkyh"
},
{
"Action": [
"fsx:*",
"ds:DescribeDirectories"
],
"Effect": "Allow",
"Resource": "arn:aws:fsx:us-west-2:222222222222:file-system/fs-0c52aba0aac20c744"
}
],
"Version": "2012-10-17"
}
Note that the account id of 222222222222 represents AWS Account B. Also, VPC Peering is in place between the EC2 instance VPC and the FileSystem VPC.
Terraform aws_ecs_task_definition:
resource "aws_ecs_task_definition" "participants_task" {
volume {
name = "FSxStorage"
fsx_windows_file_server_volume_configuration {
file_system_id = "fs-0c52aba0aac20c744"
root_directory = "\\data"
authorization_config {
credentials_parameter = aws_secretsmanager_secret_version.fsx_account_secret.arn
domain = var.domain
}
}
}
...
}
I am not sure why ECS cannot find the FSx file system. Surely it must be because it is in another AWS account but I don't know what changes are required in order to fix this.