IAM permission to mount FSx NetApp ONTAP on EC2

1. For mounting FSx for NetApp ONTAP volumes on EC2 instances, there isn't a specific IAM role or instance role that provides "mount volume" permission. The mounting process for FSx for ONTAP volumes on EC2 instances typically doesn't require special IAM permissions. Instead, the ability to mount the volume is primarily controlled by network connectivity and the file system's access controls. Please refer to the document below for complete information on mounting FSx for NetApp ONTAP volumes on Linux EC2 instances: [+] - https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/attach-linux-client.html

2. Mounting an FSx for NetApp ONTAP volume on an EC2 instance in a different AWS account is possible, but it requires careful network configuration. There's no direct IAM permission that allows cross-account mounting. Instead, you need to ensure proper network connectivity between the two accounts VPC's and configure routes between the same. This typically involves:

   • VPC peering or AWS Transit Gateway to connect the VPCs in different accounts
   • Configuring the necessary route tables to allow traffic between the VPCs
   • Ensuring that the security groups and network ACLs allow the required traffic

Providing the required routing is mandatory for cross-account mounting. There isn't another way to mount an FSx volume on an EC2 instance in a different AWS account without establishing the necessary network connectivity.

Remember that in addition to network connectivity, you'll need to ensure that the file system's access controls (like export policies for NFS or share and file permissions for SMB) are configured to allow access from the EC2 instance in the other account.

Here's a blog referencing the architecture of accessing cross-account FSx Filesystems that can help you: [+] - https://aws.amazon.com/blogs/storage/enabling-file-system-sharing-on-fsx-for-netapp-ontap-across-multiple-aws-accounts/