This assumes you have already:
- Create an Elastic File System (EFS) using Terraform
- Create Elastic File System (EFS) Access Points using Terraform
- Create Elastic File System (EFS) Mount Targets using Terraform
Install the amazon-efs-utils package on the EC2 Instance.
sudo yum install -y amazon-efs-utils
Ensure the Elastic File System has a Mount Target is in the same Availability Zone (such as us-east-1b) as the EC2 Instance. Check out my article List Elastic File Systems (EFS) Mount Targets using the AWS CLI. In this example, there is a Mount Target in Availability Zone us-east-1b.
~]# aws efs describe-mount-targets --file-system-id fs-0d1500aa4f4b50839
{
"MountTargets": [
{
"OwnerId": "123456789012",
"MountTargetId": "fsmt-0481f8dfc2b5c6488",
"FileSystemId": "fs-0d1500aa4f4b50839",
"SubnetId": "subnet-0316e4d9fcd4efccc",
"LifeCycleState": "available",
"IpAddress": "172.31.81.6",
"NetworkInterfaceId": "eni-02b54b783c735dcba",
"AvailabilityZoneId": "use1-az2",
"AvailabilityZoneName": "us-east-1b",
"VpcId": "vpc-014d2fcfa335d3c01"
}
]
}
Ensure the Mount Target is associated with a Security Group. Check out my article List Elastic File Systems (EFS) Mount Target Security Groups using the AWS CLI.
~]# aws efs describe-mount-target-security-groups --mount-target-id fsmt-0481f8dfc2b5c6488
{
"SecurityGroups": [
"sg-04c441ca1ce1b121b"
]
}
And that the Security Group allows incoming (ingress) on TCP NFS port 2049.
~]# aws ec2 describe-security-group-rules --filter Name="group-id",Values="sg-04c441ca1ce1b121b"
{
"SecurityGroupRules": [
{
"SecurityGroupRuleId": "sgr-0aa26ef2018a66ca3",
"GroupId": "sg-04c441ca1ce1b121b",
"GroupOwnerId": "123456789012",
"IsEgress": false,
"IpProtocol": "tcp",
"FromPort": 2049,
"ToPort": 2049,
"CidrIpv4": "0.0.0.0/0",
"Description": "Allow NFS",
"Tags": []
},
{
"SecurityGroupRuleId": "sgr-0b91959bb3ab49c3b",
"GroupId": "sg-04c441ca1ce1b121b",
"GroupOwnerId": "123456789012",
"IsEgress": true,
"IpProtocol": "-1",
"FromPort": -1,
"ToPort": -1,
"CidrIpv4": "0.0.0.0/0",
"Tags": []
}
]
}
According to https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html, "if you do not specify the ownership and permissions for an access point root directory, Amazon EFS will not create the root directory. All attempts to mount the access point will fail". Once I set the POSIX user and Creation Info, I was then able to mount the /vault access point. Check out my article List Elastic File Systems (EFS) Access Points using the AWS CLI.
~]$ aws efs describe-access-points
{
"AccessPoints": [
{
"ClientToken": "666D79BA-AD33-4727-878B-550CB3A87FF7",
"Name": "foo Access Point",
"Tags": [
{
"Key": "Name",
"Value": "foo Access Point"
},
{
"Key": "Role",
"Value": "foo Access Point"
}
],
"AccessPointId": "fsap-04164a446398febd3",
"AccessPointArn": "arn:aws:elasticfilesystem:us-east-1:123456789012:access-point/fsap-04164a446398febd3",
"FileSystemId": "fs-0d1500aa4f4b50839",
"PosixUser": {
"Uid": 1000,
"Gid": 1000
},
"RootDirectory": {
"Path": "/foo",
"CreationInfo": {
"OwnerUid": 1000,
"OwnerGid": 1000,
"Permissions": "0775"
}
},
"OwnerId": "123456789012",
"LifeCycleState": "available"
}
]
}
You can try to mount the Elastic File System using the mount command.
sudo mount --types efs --options iam,tls,accesspoint=fsap-0123456789abdefgs fs-9876543210plmokn:/ /mnt
You may want to attach a policy to the Elastic File System. Check out my articles:
- Attach a Policy to an Elastic File System (EFS) using Terraform
- List Elastic File Systems (EFS) Policies using the AWS CLI
For example, you could attach the following policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"elasticfilesystem:ClientWrite",
"elasticfilesystem:ClientMount"
],
"Resource": "arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs-0d1500aa4f4b50839",
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}
Did you find this article helpful?
If so, consider buying me a coffee over at 