Cross account efs access point mount on lambda with root path as "/"

0

I have a EFS and Lambda running in separate accounts. The EFS has a access point with Root directory path set as "/" . I understand the for cross account Lambda mount path should match the access point path for the filesystem or we encounter errors like EACCES: permission denied, Therefore I have been trying to use just "/mnt/" as lambda mount point using aws cli and it is failing with an error.

I ran the belwo with LocalMountPath in single quotes and without quotes

aws lambda update-function-configuration --function-name MyFunction \
--file-system-configs Arn=arn:aws:elasticfilesystem:eu-west-1:222233334444:access-point/fsap-01234567,LocalMountPath=/mnt/

I got the follwoing error message An error occurred (ValidationException) when calling the UpdateFunctionConfiguration operation: 1 validation error detected: Value '/mnt/' at 'fileSystemConfigs.1.member.localMountPath' failed to satisfy constraint: Member must satisfy regular expression pattern: ^/mnt/[a-zA-Z0-9-_.]+$

The size of the current efs access point root path is /. Being cross account , **is there a way for my lambda to use the the access point / and local mount path of /mnt so that it stop errors EACCES: permission denied, on files it is trying to process. **

2 Answers
0
Accepted Answer

It turned out to be my POSIX ID, which was set to 1000 on access point, whereas the files and folder had root 0 as uid and gid. I created another access point with default root as / but with POSIX user and owner id with value 0. Using the new access point at /, POSIX id as 0 and lambda mount point as /mnt/efs . It worked. What I found was that we can't directly use /mnt/ as the LocalMountPath because of the regular expression pattern enforced by AWS Lambda. However, we can work around this issue by using a slightly different path, such as /mnt/efs, which adheres to the regular expression pattern and still allows you to use the EFS access point with the root directory path set to / . Thank you all for your comments and helping with this.

answered 6 months ago
0

To mount a file system in another AWS account, run the following command. Use your own function name and replace the Amazon Resource Name (ARN) with the ARN of the Amazon EFS access point for the file system you want to mount. LocalMountPath is the path where the function can access the file system, starting with /mnt/. Ensure that the Lambda mount path matches the access point path for the filesystem. For example, if the access point is /efs, the Lambda mount path must be /mnt/efs.

aws lambda update-function-configuration --function-name MyFunction
--file-system-configs Arn=arn:aws:elasticfilesystem:us-east-1:222233334444:access-point/fsap-01234567,LocalMountPath=/mnt/test

follow below link should be helpful

https://docs.aws.amazon.com/lambda/latest/dg/configuration-filesystem.html

Sachin
answered 6 months ago
  • Thank you, I understand that, but my account point is "/" and I am trying to use "/mnt/" for lambda mount path. I think the problem I have is the the existing access point path is "/" and that the aws cli do not like just "/mnt/" as lambda mount path for cross account. I have almost TB of data. I hoped for cross account the aws allowed /mnt/ as lambda mount point from AWS lambda update-function-configuration . looking for a workaround .

  • It turned out to be my POSIX ID, which was set to 1000 on access point, whereas the files and folder had root 0 as uid and gid. I created another access point with default root as "/" but with POSIX user and owner id with value 0. Using the new access point at "/", POSIX id as 0 and lambda mount point as "/mnt/efs" . It worked.

  • Lambda requires that the local path start with /mnt/ but requires an additional path component - so, /mnt/efs/ is allowed but /mnt/ is not.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions