2

I have an EFS Filesystem with the file system (resource) policy below. With "AWS":"*" for the principal, my Fargate task mounts it OK, can write to it and read from it. As I understand it however, this really allows the entirety of AWS to also mount my filesystem so, not what I want.

I'd like to limit the EFS volume to the Fargate task only. How do I do this?

The Fargate task assumes (task execution role) the role my-fargate-role when it gets spun up by the cluster/service. If I place the ARN of this role as the principal in the EFS policy (in place of the "*"), the task is not able to mount the file system and the task error certainly looks to be access related:

Task stopped at: 3/14/2023, 18:35:47 UTC ResourceInitializationError: failed to invoke EFS utils commands to set up EFS volumes: stderr: b'mount.nfs4: access denied by server while mounting 127.0.0.1:/' : unsuccessful EFS utils command execution; code: 32

EFS file system policy

{
    "Version": "2012-10-17",
    "Id": "my-app-efs-pol",
    "Statement": [
        {
            "Sid": "my-app-efs-pol-sid",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123123123123:role/my-fargate-role"
            },
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:ClientRootAccess",
                "elasticfilesystem:DescribeMountTargets"
            ],
            "Resource": "arn:aws:elasticfilesystem:us-east-1:123123123123:file-system/fs-0d12312312312312c",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "true",
                    "elasticfilesystem:AccessedViaMountTarget": "true"
                }
            }
        }
    ]
}

my-fargate-role contains the following JSON in an attached policy. There are two other attachments dealing with SSM and task execution which I don't think are in scope of the EFS issue.

As I understand it, the "Resource" : "*" gives this role access to perform any of the listed actions on any resource in my account. I guess this is fine for now? The resource isn't limiting in the IAM policy so I don't think this is germane to the issue but.. maybe not?

Attached policy on my-fargate-role

{
    "Statement": [
        {
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientRootAccess",
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:CreateFileSystem",
                "elasticfilesystem:CreateMountTarget",
                "elasticfilesystem:DescribeMountTargets"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}
Nstevens
  • 267
  • 2
  • 8
  • I coudn't get this to work using IAM roles. I probably have a comma or colon in the wrong place. Ended up restricting by CIDR (https://stackoverflow.com/questions/36618285/s3-policy-allow-multiple-ips-at-the-same-statement). – Nstevens Mar 20 '23 at 14:37

0 Answers0