How do I create the correct EFS access point configuration to mount my file system using a Lambda function?
I want to create an Amazon Elastic File System (Amazon EFS) access point mount using AWS Lambda. How can I do this and what are the working and non-working access point configurations?
Resolution
Prerequisites
The following are pre-requisites for mounting EFS access points with Lambda:
- The Lambda function's execution role must have the following elasticfilesystem permissions:
elasticfilesystem:ClientMount
elasticfilesystem:ClientWrite (not required for read-only connections) - Your AWS Identify and Access Management (IAM) user must have the following permissions:
elasticfilesystem:DescribeMountTargetsFor more information, see Configuring a file system and access point. - Inbound NFS traffic (port 2049) must be allowed in the security group for the EFS file system.
Creating an access point using Lambda
- Open the Functions page of the Lambda console.
- Choose a function.
- Choose Configuration, File systems.
- Under File system, choose Add file system.
- Configure the following properties:
- EFS file system: The access point for a file system in the same VPC.
- Local mount path: The location where the file system is mounted on the Lambda function, starting with /mnt/. For example, /mnt/lambda.
Amazon EFS automatically creates the root directory with configurable ownership and permissions only if you provide the following:
- OwnUid
- OwnGID
- Permissions for the directory (creation info)
Note: Amazon EFS treats a user or group ID set to 0 in the access point as the root user.
For more information, see Creating the root directory for an access point.
EFS access point configuration examples
Note: The root directory of the access point is /efsaccesspoint. Mounting file system fs-12345678:/ using this access point is the same as mounting fs-12345678:/efsaccesspoint without this access point.
Working Configurations
Configuration 1:
- Root directory Path: /efs ( /efs doesn’t exist)
- POSIX user: EMPTY
- Creation Info: 1000:1000(777)
Configuration 2:
- Root directory Path: /efs ( /efs doesn’t exist)
- POSIX user: 1000:1000
- Creation Info: 1000:1000 (777,775,755)
Configuration 3:
- Root directory Path: /efs ( /efs exists)
- POSIX user: 1000:1000
- Creation Info: EMPTY
Configuration 4:
- Root directory Path: /efs (/efs doesn’t exist)
- POSIX user: 0:0
- Creation Info: 1000:1000 (755)
Configuration 5:
- Root directory Path: /efs ( /efs doesn’t exist)
- POSIX user: 0:0
- Creation Info: 1000:1000 (775)
Configuration 6:
- Root directory Path: /efs ( /efs doesn’t exist)
- POSIX user: 0:0
- Creation Info: 1000:1000 (777)
Non-working configurations
The following access point configuration results in an error when accessing EFS using a Lambda function:
- Root directory Path: /efs ( /efs doesn’t exist)
- POSIX user: 1000:1000
- Creation Info: EMPTY
You must provide POSIX user information if your use case requires performing write operations from an AWS Lambda function to the EFS mounted path. If POSIX user information isn't provided, write operations fail with Permission denied errors. For instructions on adding POSIX user information, see the preceding section, Creating an access point using Lambda.
Related information
Relevant content
- asked a year ago
- Accepted Answerasked 6 months ago
- asked 2 years ago
- Accepted Answerasked 4 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 months ago
