What principal do I need to mount EFS volume in Fargate task


I have an EFS file system policy below[2]. Using the principal of AWS:* allows my Fargate task to mount the file system. I'd like to tighten up the principal but can't figure out what works. Going off some documentation here, I've tried[1] principals similar to the examples (with my account ID substituted) but the task fails to start with errors like unsuccessful EFS utils command execution; code: 32. I don't get if the error is coming from missing taskRole/taskExecutionRole policies, or rather something missing for the Fargate service/cluster/assumed role itself.

Do I need to add a Role Session principal (since Fargate is assuming my role at some point to launch the task) and if so how do I find out what that is?

Secondly, is there any better way to debug errors like these than just burn-and-learn? All I have in Cloudtrail is stuff like "Trying something, something failed, obscure error #"


"Principal": { "AWS": "arn:aws:iam::123456789012:root" }
"Principal": { "AWS": "123456789012" }

[2] EFS policy

    "Version": "2012-10-17",
    "Id": "my-app-efs-pol",
    "Statement": [
            "Sid": "my-app-efs-pol-sid",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            "Action": [
            "Resource": "arn:aws:elasticfilesystem:us-east-1:<myaccount_id>:file-system/fs-<filesystemid>",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "true",
                    "elasticfilesystem:AccessedViaMountTarget": "true"
1 Answer

Can you try, for number 1. https://docs.amazonaws.cn/en_us/efs/latest/ug/access-control-overview.html


On number 2, try this: https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-permission-errors/

profile pictureAWS
answered a year ago
  • I added "elasticfilesystem:CreateMountTarget" to the EFS policy OK, but adding "elasticfilesystem:CreateFileSystem" generates "Invalid policy" error in the File System Policy tab. Both of those links are quite broad. For instance "Mounting with IAM authorization", in your second link, demos how to specify an IAM role using sudo at the command line. That might help for debugging, but I'm not clear how to limit access by IAM role instead of just "AWS": "*"

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions