Fargate with EFS CDK

I struggled WAY too long trying to sort out the permissions for EFS. Turns out, there are 2 layers. The IAM role, and the Posix permissions. Both throw a similar-looking access denied. Finally!

Don’t judge me on the single AZ. I am running a single task in Fargate and only need one instance.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
const { vpc, az, region, account } = props;

const fileSystem = new FileSystem(this, 'Efs', {
vpc,
performanceMode: PerformanceMode.GENERAL_PURPOSE,
vpcSubnets: {
subnetType: ec2.SubnetType.PUBLIC,
onePerAz: true,
availabilityZones: [az],
},
});

const accessPoint = new AccessPoint(this, 'AccessPoint', {
fileSystem: fileSystem,
});

const task = new ecs.FargateTaskDefinition(this, 'Task', {
cpu: 256,
memoryLimitMiB: 512,
});

const volumeName = 'efs-volume';

task.addVolume({
name: volumeName,
efsVolumeConfiguration: {
fileSystemId: fileSystem.fileSystemId,
transitEncryption: 'ENABLED',
authorizationConfig: {
accessPointId: accessPoint.accessPointId,
iam: 'ENABLED',
},
},
});

const container = task.addContainer('Container', {
image: ecs.ContainerImage.fromAsset('./container'),
portMappings: [{ hostPort: 80, containerPort: 80 }],
});

container.addMountPoints({
containerPath: '/mount/data',
sourceVolume: volumeName,
readOnly: false,
});

task.addToTaskRolePolicy(
new iam.PolicyStatement({
actions: [
'elasticfilesystem:ClientRootAccess',
'elasticfilesystem:ClientWrite',
'elasticfilesystem:ClientMount',
'elasticfilesystem:DescribeMountTargets',
],
resources: [
`arn:aws:elasticfilesystem:${region}:${account}:file-system/${fileSystem.fileSystemId}`,
],
})
);

task.addToTaskRolePolicy(
new iam.PolicyStatement({
actions: ['ec2:DescribeAvailabilityZones'],
resources: ['*'],
})
);

I hope this saves someone a headache!

Share