DEV Community 👩‍💻👨‍💻

Cover image for Fargate + EFS Permissions using CDK
Ivan Bliskavka
Ivan Bliskavka

Posted on

Fargate + EFS Permissions using CDK

I struggled WAY too long trying to sort out the permissions for EFS. Turns out, there are 2 layers. The IAM role, and the Posix permissions. Both throw a similar looking access denied. Finally!

Don't judge me on the single AZ. I am running a single task in Fargate and only need one instance.

const {vpc, az, region, account} = props;

const fileSystem = new FileSystem(this, 'Efs', {
  vpc,
  performanceMode: PerformanceMode.GENERAL_PURPOSE,
  vpcSubnets: {
    subnetType: ec2.SubnetType.PUBLIC,
    onePerAz: true,
    availabilityZones: [az]
  }
});

const accessPoint = new AccessPoint(this, 'AccessPoint', {
  fileSystem: fileSystem,
});

const task = new ecs.FargateTaskDefinition(this, 'Task', {
  cpu: 256,
  memoryLimitMiB: 512
});

const volumeName = 'efs-volume';

task.addVolume({
  name: volumeName,
  efsVolumeConfiguration: {
    fileSystemId: fileSystem.fileSystemId,
    transitEncryption: 'ENABLED',
    authorizationConfig:{
      accessPointId: accessPoint.accessPointId,
      iam: 'ENABLED'
    }
  }
});

const container = task.addContainer('Container', {
  image: ecs.ContainerImage.fromAsset('./container'),
  portMappings: [{hostPort: 80, containerPort: 80}],
});

container.addMountPoints({
  containerPath: '/mount/data',
  sourceVolume: volumeName,
  readOnly: false
});

task.addToTaskRolePolicy(
  new iam.PolicyStatement({
    actions: [
      'elasticfilesystem:ClientRootAccess',
      'elasticfilesystem:ClientWrite',
      'elasticfilesystem:ClientMount',
      'elasticfilesystem:DescribeMountTargets'
    ],
    resources: [`arn:aws:elasticfilesystem:${region}:${account}:file-system/${fileSystem.fileSystemId}`]
  })
);

task.addToTaskRolePolicy(
  new iam.PolicyStatement({
    actions: ['ec2:DescribeAvailabilityZones'],
    resources: ['*']
  })
);
Enter fullscreen mode Exit fullscreen mode

I hope this save someone a headache!

Originally posted on my blog

Top comments (0)

Timeless DEV post...

How to write a kickass README

Arguably the single most important piece of documentation for any open source project is the README. A good README not only informs people what the project does and who it is for but also how they use and contribute to it.

If you write a README without sufficient explanation of what your project does or how people can use it then it pretty much defeats the purpose of being open source as other developers are less likely to engage with or contribute towards it.