DEV Community

Cover image for Fargate + EFS Permissions using CDK
Ivan Bliskavka
Ivan Bliskavka

Posted on • Updated on • Originally published at

Fargate + EFS Permissions using CDK

I struggled WAY too long trying to sort out the permissions for EFS. Turns out, there are 2 layers. The IAM role, and the Posix permissions. Both throw a similar looking access denied. Finally!

Don't judge me on the single AZ. I am running a single task in Fargate and only need one instance.

const {vpc, az, region, account} = props;

const fileSystem = new FileSystem(this, 'Efs', {
  performanceMode: PerformanceMode.GENERAL_PURPOSE,
  vpcSubnets: {
    subnetType: ec2.SubnetType.PUBLIC,
    onePerAz: true,
    availabilityZones: [az]

const accessPoint = new AccessPoint(this, 'AccessPoint', {
  fileSystem: fileSystem,

const task = new ecs.FargateTaskDefinition(this, 'Task', {
  cpu: 256,
  memoryLimitMiB: 512

const volumeName = 'efs-volume';

  name: volumeName,
  efsVolumeConfiguration: {
    fileSystemId: fileSystem.fileSystemId,
    transitEncryption: 'ENABLED',
      accessPointId: accessPoint.accessPointId,
      iam: 'ENABLED'

const container = task.addContainer('Container', {
  image: ecs.ContainerImage.fromAsset('./container'),
  portMappings: [{hostPort: 80, containerPort: 80}],

  containerPath: '/mount/data',
  sourceVolume: volumeName,
  readOnly: false

  new iam.PolicyStatement({
    actions: [
    resources: [`arn:aws:elasticfilesystem:${region}:${account}:file-system/${fileSystem.fileSystemId}`]

  new iam.PolicyStatement({
    actions: ['ec2:DescribeAvailabilityZones'],
    resources: ['*']
Enter fullscreen mode Exit fullscreen mode

I hope this save someone a headache!

Originally posted on my blog

Top comments (0)