I have an EFS file system policy below[2]. Using the principal of AWS:* allows my Fargate task to mount the file system. I'd like to tighten up the principal but can't figure out what works. Going off some documentation here, I've tried[1] principals similar to the examples (with my account ID substituted) but the task fails to start with errors
like unsuccessful EFS utils command execution; code: 32. I don't get if the error is coming from missing taskRole/taskExecutionRole policies, or rather something missing for the Fargate service/cluster/assumed role itself.
Do I need to add a Role Session principal (since Fargate is assuming my role at some point to launch the task) and if so how do I find out what that is?
Secondly, is there any better way to debug errors like these than just burn-and-learn? All I have in Cloudtrail is stuff like "Trying something, something failed, obscure error #"
[1]
"Principal": { "AWS": "arn:aws:iam::123456789012:root" }
"Principal": { "AWS": "123456789012" }
[2] EFS policy
{
"Version": "2012-10-17",
"Id": "my-app-efs-pol",
"Statement": [
{
"Sid": "my-app-efs-pol-sid",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"elasticfilesystem:ClientMount",
"elasticfilesystem:ClientWrite",
"elasticfilesystem:ClientRootAccess",
"elasticfilesystem:DescribeMountTargets"
],
"Resource": "arn:aws:elasticfilesystem:us-east-1:<myaccount_id>:file-system/fs-<filesystemid>",
"Condition": {
"Bool": {
"aws:SecureTransport": "true",
"elasticfilesystem:AccessedViaMountTarget": "true"
}
}
}
]
}
AWS OFFICIALUpdated 3 months ago
I added "elasticfilesystem:CreateMountTarget" to the EFS policy OK, but adding "elasticfilesystem:CreateFileSystem" generates "Invalid policy" error in the File System Policy tab. Both of those links are quite broad. For instance "Mounting with IAM authorization", in your second link, demos how to specify an IAM role using sudo at the command line. That might help for debugging, but I'm not clear how to limit access by IAM role instead of just "AWS": "*"