Let's say you are attempting to mount an Amazon Web Services (AWS) Elastic File System (EFS) using the mount command and access denied by server while mounting 127.0.0.1:/ is displayed.
~]$ sudo mount --types efs --options tls,accesspoint=fsap-0123456789abdefgs fs-9876543210plmokn:/ /mnt
b'mount.nfs4: access denied by server while mounting 127.0.0.1:/'
This can be cause by:
- The Elastic File System (EFS) is in a different Virtual Private Cloud (VPC) as the system you are trying to mount the Elastic File System on
- The Elastic File System (EFS) is in a different Availability Zone as the system you are trying to mount the Elastic File System on
- The Elastic File System (EFS) Mount Targets are not associated with a Security Group that allows incoming (ingress) on TCP NFS port 2049
- The Elastic File System (EFS) Access Points do not have POSIX User and Creation Info set
- The Elastic File System (EFS) has a policy that denies access or does not have a policy that allows access
Ensure the Elastic File System has a Mount Target is in the same Availability Zone (such as us-east-1b) as the system you are trying to mount the Elastic File System on. Check out my article List Elastic File Systems (EFS) Mount Targets using the AWS CLI. In this example, there is a Mount Target in Availability Zone us-east-1b.
~]# aws efs describe-mount-targets --file-system-id fs-0d1500aa4f4b50839
{
"MountTargets": [
{
"OwnerId": "123456789012",
"MountTargetId": "fsmt-0481f8dfc2b5c6488",
"FileSystemId": "fs-0d1500aa4f4b50839",
"SubnetId": "subnet-0316e4d9fcd4efccc",
"LifeCycleState": "available",
"IpAddress": "172.31.81.6",
"NetworkInterfaceId": "eni-02b54b783c735dcba",
"AvailabilityZoneId": "use1-az2",
"AvailabilityZoneName": "us-east-1b",
"VpcId": "vpc-014d2fcfa335d3c01"
}
]
}
Ensure the Mount Target is associated with a Security Group. Check out my article List Elastic File Systems (EFS) Mount Target Security Groups using the AWS CLI.
~]# aws efs describe-mount-target-security-groups --mount-target-id fsmt-0481f8dfc2b5c6488
{
"SecurityGroups": [
"sg-04c441ca1ce1b121b"
]
}
And that the Security Group allows incoming (ingress) on TCP NFS port 2049.
~]# aws ec2 describe-security-group-rules --filter Name="group-id",Values="sg-04c441ca1ce1b121b"
{
"SecurityGroupRules": [
{
"SecurityGroupRuleId": "sgr-0aa26ef2018a66ca3",
"GroupId": "sg-04c441ca1ce1b121b",
"GroupOwnerId": "123456789012",
"IsEgress": false,
"IpProtocol": "tcp",
"FromPort": 2049,
"ToPort": 2049,
"CidrIpv4": "0.0.0.0/0",
"Description": "Allow NFS",
"Tags": []
},
{
"SecurityGroupRuleId": "sgr-0b91959bb3ab49c3b",
"GroupId": "sg-04c441ca1ce1b121b",
"GroupOwnerId": "123456789012",
"IsEgress": true,
"IpProtocol": "-1",
"FromPort": -1,
"ToPort": -1,
"CidrIpv4": "0.0.0.0/0",
"Tags": []
}
]
}
According to https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html, "if you do not specify the ownership and permissions for an access point root directory, Amazon EFS will not create the root directory. All attempts to mount the access point will fail". Once I set the POSIX user and Creation Info, I was then able to mount the /vault access point. Check out my article List Elastic File Systems (EFS) Access Points using the AWS CLI.
~]$ aws efs describe-access-points
{
"AccessPoints": [
{
"ClientToken": "666D79BA-AD33-4727-878B-550CB3A87FF7",
"Name": "foo Access Point",
"Tags": [
{
"Key": "Name",
"Value": "foo Access Point"
},
{
"Key": "Role",
"Value": "foo Access Point"
}
],
"AccessPointId": "fsap-04164a446398febd3",
"AccessPointArn": "arn:aws:elasticfilesystem:us-east-1:123456789012:access-point/fsap-04164a446398febd3",
"FileSystemId": "fs-0d1500aa4f4b50839",
"PosixUser": {
"Uid": 1000,
"Gid": 1000
},
"RootDirectory": {
"Path": "/foo",
"CreationInfo": {
"OwnerUid": 1000,
"OwnerGid": 1000,
"Permissions": "0775"
}
},
"OwnerId": "713542074252",
"LifeCycleState": "available"
}
]
}
You can try including the iam option.
sudo mount --types efs --options iam,tls,accesspoint=fsap-0123456789abdefgs fs-9876543210plmokn:/ /mnt
You can try including awsprofile which points to a named profile in your credentials file. Check out my article on Set Profile Config using the AWS CLI. Let's say the credentials file contains a profile named johndoe.
~]$ cat /home/john.doe/.aws/credentials
[default]
aws_secret_access_key = Xw3kZVaxTfvDKBMGf6R79Unf5LG4kdf9piuHfhn13
aws_access_key_id = 34VGB4HYOC2ABCO67BKD
[johndoe]
aws_secret_access_key = fj1a5YG2rGYzE99Ccdfhn#RQaU4pZ+H3ehFgm567
aws_access_key_id = ZMKF1MMUDGUZR7XFJM90
You can try including the awsprofile option.
sudo mount --types efs --options iam,tls,awsprofile=johndoe,accesspoint=fsap-0123456789abdefgs fs-9876543210plmokn:/ /mnt
You can try attaching a policy to the Elastic File System. Check out my articles:
- Attach a Policy to an Elastic File System (EFS) using Terraform
- List Elastic File Systems (EFS) Policies using the AWS CLI
For example, you could attach the following policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"elasticfilesystem:ClientWrite",
"elasticfilesystem:ClientMount"
],
"Resource": "arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs-0d1500aa4f4b50839",
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}
Did you find this article helpful?
If so, consider buying me a coffee over at 