Amazon Elastic File System Policy (EFS) - allows access EC2 instance by IAM role doesn't work

Question

I expect that only an instance with IAM role 123 will be able to mount and read/write an EFS.

But I can't mount.

I will be appreciated for help and an idea.

sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport fs-d2f2bd.efs.us-east-1.amazonaws.com:/ /var/www/mout

Error: mount.nfs4: access denied by server while mounting fs-d2f2bd.efs.us-east-1.amazonaws.com:/

I have created an EFS with this policy:

{
    "Version": "2012-10-17",
    "Id": "efs-policy-wizard-06f9ed35-1f72-48f9-b04a-21de6e54324c",
    "Statement": [
        {
            "Sid": "efs-statement-37f69742-4d0b-4a28-850f-36db1b192872",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::714154805721:role/123"
            },
            "Action": [
                "elasticfilesystem:ClientRootAccess",
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:ClientMount"
            ],
            "Resource": "arn:aws:elasticfilesystem:us-east-1:714154805721:file-system/fs-d2f2bd"
        }
    ]
}

and I created 123 role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:CreateMountTarget",
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:ClientRootAccess",
                "elasticfilesystem:CreateFileSystem"
            ],
            "Resource": "arn:aws:elasticfilesystem:us-east-1:714154805721:file-system/fs-09d2f2bd"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "elasticfilesystem:CreateFileSystem",
            "Resource": "*"
        }
    ]
}

Best wishes, Rostyslav

Answer 1

The docs say you need to pass -o iam to the mount command.