How can I troubleshoot Lambda function invoke issues with Amazon EFS integration?
I invoked an AWS Lambda function with Amazon Elastic File System (Amazon EFS) integration and received an error message.
Short description
The following are pre-requisites for mounting Amazon EFS access points with Lambda:
- The Lambda function's execution role must have the following elasticfilesystem permissions:
elasticfilesystem:ClientMount
elasticfilesystem:ClientWrite (not required for read-only connections) - Your AWS Identify and Access Management (IAM) user must have the following permissions:
elasticfilesystem:DescribeMountTargets - The EFS File System security group must allow NFS (port 2049) inbound traffic from the Lambda security group or IP address range.
- The Lambda security group must allow NFS (port 2049) outbound traffic to the EFS security group or IP address range.
- The Lambda function and Amazon EFS access points must be in the same AWS Region and Availability Zone.
For more information, see How do I create the correct EFS access point configuration to mount my file system using a Lambda function?
Resolution
Follow these troubleshooting steps for the error message with your Lambda function.
EFSMountFailureException:
The Lambda function couldn't mount the configured EFS file system due to a permission or configuration issue. Check the Lambda functions permissions. Then, confirm that the EFS file system and access point exist and are ready for use. For more information, see Function could not mount the EFS file system.
EFSMountConnectivityException:
The Lambda function couldn't make a network connection to the configured EFS file system with the NFS protocol (TCP port 2049). Check the security group and routing configuration for the Amazon Virtual Private Cloud (Amazon VPC) subnets. For more information, see Function could not connect to the EFS file system.
EFSMountTimeoutException:
The Lambda function was able to make a network connection to the configured EFS file system, but the mount operation timed out. Retry invoking the Lambda function. If the Lambda function times out again, then limit the functions reserved concurrency to reduce the load volume on the EFS file system. For more information, see Function could not mount the EFS file system due to timeout.
PermissionError: Permission denied: '/mnt/xyz/abc':
Lambda doesn't have access to the specified Amazon EFS access point. To troubleshoot Amazon EFS access points, see What are common EFS access point configurations?
For more information, see Troubleshoot invocation issues in Lambda.
Related information
If you receive an EFSMountFailureException and have checked all of the IAM permissions listed above, check that the root directory in the access point configuration exists. If that directory does not exist, you will not see any errors in CloudTrail and the Lambda error message will simply be the same generic failure as everything else:
The function couldn't mount the Amazon EFS file system with access point arn:aws:elasticfilesystem:… (Service: AWSLambda; Status Code: 403; Error Code: EFSMountFailureException; Request ID: d7a85d64-566b-4e0d-8bc7-511129a91886; Proxy: null)
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked a year ago
- Accepted Answerasked 4 months ago
- Accepted Answerasked 6 months ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
