Why am I unable to mount my Amazon EFS volumes on my AWS Fargate tasks?
Last updated: 2022-09-14
I'm getting errors when I mount my Amazon Elastic File System (Amazon EFS) volumes on my AWS Fargate tasks.
Amazon EFS provides a persistent storage solution for your Fargate tasks to share files and data across different tasks.
You might be unable to mount your Amazon EFS volumes on your Fargate tasks due to one or more of the following reasons:
- The Amazon EFS file system isn't configured correctly.
- The Amazon Elastic Container Service (Amazon ECS) task IAM role doesn't have the required permissions.
- There are issues related to network and Amazon Virtual Private Cloud (Amazon VPC) configurations
You might get one of the following errors when you try to mount your EFS volume on your Fargate task.
ResourceInitializationError: failed to invoke EFS utils commands to set up EFS volumes: stderr: b'mount.nfs4: Connection timed out' : unsuccessful EFS utils command execution; code: 32
You get this error when your Fargate task is unable to connect to the EFS filesystem because of connection timing. To resolve this error, try the following troubleshooting steps:
1. Open the Amazon EFS console.
2. In the navigation pane, choose File systems.
3. Choose the file system that you want to check by choosing its Name or the File system ID.
4. Choose Network to display the list of existing mount targets.
5. Choose Manage.
You can view the security group and the security group's inbound rules for the mount targets.
Be sure that the inbound rule for the security group allows traffic from the Fargate task security group on port 2049. Also, check whether network traffic is allowed at the subnet level by verifying that the network access control list allows traffic between the file system and task. If the traffic is not allowed, then modify the rules accordingly. For more information, see the Security section of VPC with public and private subnets (NAT).
ResourceInitializationError: failed to invoke EFS utils commands to set up EFS volumes: stderr: mount.nfs4: Connection reset by peer : unsuccessful EFS utils command execution; code: 32
You get this error under the following conditions:
- You mounted the EFS file system immediately after creating the file system.
- The security group for the mount target doesn't allow inbound traffic from Fargate tasks on port 2049.
To troubleshoot this error, follow these steps:
- Up to 90 seconds can elapse for the DNS records to propagate completely in a Region after creating a mount target. Therefore, if you're programmatically creating and mounting the file systems, for example with an AWS CloudFormation template, it's a best practice to implement a wait condition to avoid this issue.
- Be sure that the inbound rule for the security group attached to the EFS file system mount targets allows traffic on port 2049 from Fargate tasks.
ResourceInitializationError: failed to invoke EFS utils commands to set up EFS volumes: stderr: Failed to resolve "fs-xxxxxxxxxxx.efs.us-east-1.amazonaws.com" - check that your file system ID is correct
You get this error typically under one of the following conditions:
- The EFS file system mount target isn't created or available in an Availability Zone where Fargate tasks are launched.
- You're using a custom DNS server for the VPC.
- The VPC DNS hostnames are disabled. Note that DNS hostnames are disabled by default.
To resolve this error, try the following steps:
- Be sure that the EFS file system mount target is in the same Availability Zone as the Fargate task. You can view the Availability Zone, subnet, and security group of the mount target in the Amazon EFS console. Then, verify that the mount target uses the same Availability Zone and subnet as the Fargate task.
- If you specified a custom DNS server for your VPC DHCP options instead of AmazonProvidedDNS, then be sure to configure conditional DNS forwarders to send the DNS queries of AWS resources (*.amazonaws.com) to the VPC's default DNS server at VPC CIDR .2 or 169.254.169.253. For more information, see How to set up DNS resolution between on-premises networks and AWS using AWS Directory Service and Microsoft Active Directory.
ResourceInitializationError: failed to invoke EFS utils commands to set up EFS volumes: stderr: b'mount.nfs4: access denied by server while mounting 127.0.0.1:/' : unsuccessful EFS utils command execution; code: 32
You get this error when access to the file system is denied by the file system policy, task role policy, or POSIX file system level permissions.
Access to an EFS file system might be controlled by permissions defined in the network access control list, security group, EFS file system policies, ECS task role IAM policy, and POSIX file. For more information, see Developers guide to using Amazon EFS with Amazon ECS and AWS Fargate – Part 2.
To troubleshoot this error, check if the file system policy or the ECS task role IAM policy denies access to the file system. If these policies deny permissions, modify the policies to grant permissions to access the file system. If the file system policy doesn't exist, then access to the file system is granted by default to all principals during the creation of the file system.