AWS Storage Blog
Mount Amazon EFS file systems cross-account from Amazon EKS
Many customers use multiple AWS accounts managed by AWS Organizations to create security and cost boundaries around business units, projects, or applications. AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources. In some cases, an application in one AWS account must access data in another. As you grow and scale your environment, you may benefit by accessing data from multiple AWS accounts from a single AWS account. In order for Amazon Elastic Kubernetes Service (EKS) and Amazon Elastic File System (Amazon EFS) to utilize AWS Organizations more effectively, cross-account Amazon EFS file system mount is required. This blog shows you how to mount Amazon EFS file systems cross-account from Amazon EKS.
Until recently, mounting Amazon EFS resources in another account meant manually configuring IP to hostname bindings. For those of you using EKS, it also meant using hostname aliases. Amazon EFS CSI driver version 1.3.2, has added support for API-based resolution of Amazon EFS mount targets. This addition makes it simpler to mount file systems in other AWS accounts.
Setup
In this post, we make the following assumptions:
- You have an EKS cluster already created in account
A
and an EFS file system in another accountB
. - You have established a connection between EKS cluster VPC in account
A
and EFS file system VPC in accountB
or accountsA
andB
are connected through VPC sharing. To set up VPC-to-VPC connectivity or VPC sharing refer to the official documentation. - You have an OpenID Connect (OIDC) provider setup for your EKS cluster and a service account associated with the CSI driver’s controller service. Refer to the official documentation for detailed steps on how to configure controller service account.
- You have installed and configured
eksctl
andkubectl
. To set upeksctl
andkubectl
, refer to the official documentation for eksctl and kubectl.
You will need a cross-account IAM role in the AWS account where your EFS file system exists with permissions to describe mount targets. This IAM role will be assumed by efs-csi-driver to describe mount targets of the EFS file system. The driver will select an IP address from one of the mount targets on the EFS file system to perform cross-account mount.
- Create an IAM role in AWS account
B
hosting your EFS file system. Add a trust relationship with AWS accountA
hosting your EKS cluster to the role. Describe mount targets by attaching the IAM role with an IAM policy with permissions.
- In the AWS account
A
hosting your EKS cluster, create and attach an IAM policy withsts assume
permissions to cross-account IAM role created in Step 1. Attach this policy to IAM role associated with service account of driver’s controller service.
- Create a kubernetes secret with
awsRoleArn
as the key and the cross-account assume role from step 1 as the value.
- Add a file system policy to your file system in AWS account
B
to allow mounts from AWS accountA
hosting the EKS cluster.
- Create a kubernetes service account for driver’s node daemonset.
- Add the service account to driver’s node daemonset and deploy the driver.
At this point, your Amazon EFS CSI driver is set up for cross-account mount.
Test
- To test cross-account mount using dynamic provisioning, lets create a storage class for the file system. Check the official github page for a full list of storage class parameters for dynamic provisioning.
- To test volume provisioning and successful mounting, we deploy a persistent volume claim and a pod. The actual storage capacity value is not used and it’s only provided to satisfy kubernetes constraints as EFS scales elastically in size.
- After a few seconds, the volume should be provisioned and bound.
- At this point, the pod should have started writing data to file system. Let’s verify by checking the pod’s data directory.
After testing, you have verified your Amazon CSI driver can perform cross-account mount. You can now access data across multiple AWS accounts from a single AWS account.
Cleaning up
Remember to delete example resources if you no longer need them.
Delete your sample application pod: $ kubectl delete pod efs-app
.
Delete your PVC: $ kubectl delete efs-claim
.
Conclusion
In this blog, we showed you how to add cross-account mounts in the Amazon EFS CSI driver, enabling you to decouple your storage and compute resources. Additionally, we showed you how to place each in a separate account or VPC. The ability to access data from multiple AWS accounts from a single AWS account makes using AWS Organizations for EKS and Amazon EFS more effective. It can help you create security and cost boundaries around business units, projects, or applications as you grow and scale your environment. I hope you enjoyed learning about this way of attaching persistent shared file storage to your applications while continuing to use multiple AWS accounts. Get started by visiting the Amazon EFS CSI driver documentation.
If you have any comments or questions, share them in the comments section.