Reputation: 2631
Accessing EFS file system from Fargate ECS task - Not working without any kind of error message
I tried to connect an EFS file system to an ECS Fargate Task, based on the examples in the documentation. I cannot write to the volume (sadly I cannot change the container in a way to report if it can write from there)
The task is provisioned without any error, but the starting container cannot write into the mounted volume.
In contrast to some other questions here, I do NOT get any error message from AWS. Just the container reporting an AccessDeniedException.
I am running out of ideas how to troubleshoot this.
- Both EFS and the ECS task run within the same security group
- The security group has an inbound rule allowing traffic between all nodes in the group
- Another inbound rule for NFS has been added explicitly just in case
- I tried anonymous access as well as access point IAM role-based access
- I tried a file system policy granting mount and read to anyone as well as the IAM role from above
Whatever I change in the configuration, the behaviour stays the same. When I add erros to the filesystem ID or access point ID those are catched however, so the console thinks the configuration is fine.
I can see client connects for the file system in CloudWatch, however I do not see if those are successful or not. Does that mean networking is fine, but access permissions are wrong?
Task config:
"mountPoints": [
{
"sourceVolume": "controlserver-files",
"containerPath": "/application/files",
"readOnly": false
}
],
"volumes": [
{
"name": "controlserver-files",
"efsVolumeConfiguration": {
"fileSystemId": "fs-99999999999",
"rootDirectory": "/",
"transitEncryption": "ENABLED"
}
}
],
File system policy:
{
"Sid": "efs-statement-08270b77-b8c4-4788-b12a-7226fbcc0e21",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"elasticfilesystem:ClientRootAccess",
"elasticfilesystem:ClientWrite",
"elasticfilesystem:ClientMount"
],
"Resource": "arn:aws:elasticfilesystem:eu-central-1:977555550711:file-system/fs-02bab7777777774"
}
Upvotes: 0
Views: 3342
Answers (1)
Reputation: 26
Did you have a look on permissions on the EFS volume itself? There is this useful blog post: https://aws.amazon.com/blogs/containers/developers-guide-to-using-amazon-efs-with-amazon-ecs-and-aws-fargate-part-2/
I would first start by mounting EFS to ie your local machine or an EC2 instance and check the permissions on the root folder. For testing, you may set the permissions to 777 so that anyone, any UID, can read and write there.
$ sudo chmod 777 /EFSroot
If this works, I would go and be less permissive. You may check this doc on permissions for NFS: https://docs.aws.amazon.com/efs/latest/ug/accessing-fs-nfs-permissions.html
Feel free to share the results.
Upvotes: 1
Related Questions
- Unable to access EFS from ECS Fargate task
- ECS Task Denied access to S3 ENV file
- ECS Fargate task unable to access s3 in another account
- AWS ECS Fargate not creating task AmazonECSTaskExecutionRole error
- ECS Fargate Tasks stuck in pending when mounting EFS via Terraform
- AWS ECS (Fargate) is failing to mount EFS file system "Failed to resolve"
- AWS - Fargate - Adding EFS to Container - From AWS Console
- ECS Fargate Scheduled task cannot connect to ECR
- AWS ECS Fargate - Task Not Running
- ECS + EFS - files never make their way out of the container