How do I access my EFS file system across accounts using IAM authorization and EFS Access Points?

Last updated: 2020-02-12

I want to access my Amazon Elastic File System (Amazon EFS) file system across accounts so that I can share files. How can I do this using AWS Identity and Access Management (IAM) authorization for NFS clients and EFS Access Points?

Short Description

You can mount your Amazon EFS file system by using IAM authorization for NFS clients and EFS Access Points with the Amazon EFS mount helper. By default, the mount helper uses DNS to resolve the IP address of your mount target, so if you're mounting from another account or VPC, you must resolve the EFS mount target IP manually.

Prerequisites

The Amazon Virtual Private Cloud (Amazon VPC) of your NFS client and the VPC of your Amazon EFS file system must be connected using either a VPC peering connection or a VPC Transit Gateway. Using a VPC peering connection or transit gateway to connect VPCs allows Amazon Elastic Compute Cloud (Amazon EC2) instances from the same or different accounts, to access Amazon EFS file systems in a different VPC.

Resolution

Determine the right mount target IP to use for your client, and then configure the client to mount the Amazon EFS file system using that IP.

1.    Determine the EFS mount target IP.

To be sure of high availability, it's a best practice to always use the mount target IP address in the same Availability Zone as your NFS client. Availability Zone name mappings might differ between accounts. If you're mounting an Amazon EFS file system in another account, make sure that the NFS client and the mount target are in the same Availability Zone ID (AZ ID) by calling both DescribeAvailabilityZones and DescribeMountTargets. If you're in the same account, call both of these from an IAM role with the AmazonElasticFileSystemReadOnlyAccess managed policy attached. If you're in a different account, use the file system IAM resource policy to grant the DescribeMountTargets permission to the cross-account role using the principal ARN.

Call DescribeAvailabilityZones using the Availability Zone name of the local instance to determine the AZ ID.

[ec2-user@ip-172-30-2-10 ~]$ aws ec2 describe-availability-zones --zone-name `curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone`
{
    "AvailabilityZones": [
        {
            "State": "available", 
            "ZoneName": "us-east-2b", 
            "Messages": [], 
            "ZoneId": "use2-az2", 
            "RegionName": "us-east-2"
        }
    ]
}

In the preceding example, the instance is in AZ ID use2-az2.

Call DescribeMountTargets on your file system to determine the mount target IP for the local AZ ID.

$ aws efs describe-mount-targets --file-system-id fs-cee4feb7
{
    "MountTargets": [
        {
            "MountTargetId": "fsmt-a9c3a1d0", 
            "AvailabilityZoneId": "use2-az2", 
            "NetworkInterfaceId": "eni-048c09a306023eeec", 
            "AvailabilityZoneName": "us-east-2b", 
            "FileSystemId": "fs-cee4feb7", 
            "LifeCycleState": "available", 
            "SubnetId": "subnet-06eb0da37ee82a64f", 
            "OwnerId": "958322738406", 
            "IpAddress": "10.0.2.153"
        }, 
...
        {
            "MountTargetId": "fsmt-b7c3a1ce", 
            "AvailabilityZoneId": "use2-az3", 
            "NetworkInterfaceId": "eni-0edb579d21ed39261", 
            "AvailabilityZoneName": "us-east-2c", 
            "FileSystemId": "fs-cee4feb7", 
            "LifeCycleState": "available", 
            "SubnetId": "subnet-0ee85556822c441af", 
            "OwnerId": "958322738406", 
            "IpAddress": "10.0.3.107"
        }
    ]
}

In the preceding example output, the AZ ID use2-as2 has a mount target with IP 10.0.2.153.

2.    Add a host entry for the mount target IP.

Add a line to the client’s /etc/hosts file in the format mount-target-IP-Address file-system-ID.efs.region.amazonaws.com.

echo "10.0.2.153 fs-cee4feb7.efs.us-east-2.amazonaws.com" | sudo tee -a /etc/hosts

3.    Mount your file system.

Use the mount helper to mount your file system. First, make sure that the mount helper is installed, then create a directory to mount to, and then mount. The example below installs the mount helper on a host running Amazon Linux, creates a directory, and then performs the mount using IAM credentials.

sudo yum install -y amazon-efs-utils
sudo mkdir /efs/
sudo mount -t efs -o tls,iam fs-cee4feb7 /efs/

The following example mounts the file system using an access point.

sudo yum install -y amazon-efs-utils
sudo mkdir /efs/
sudo mount -t efs -o tls,iam,accesspoint=fsap-0b370416e358edbfd fs-cee4feb7 /efs/

Did this article help you?

Anything we could improve?


Need more help?