- Newest
- Most votes
- Most comments
The issue you're experiencing with the EFS File System Policy is a common one when using AWS CDK to create EFS resources. The default behavior of the CDK is to create a File System Policy even if you don't explicitly specify one. This is done for security reasons, but it can cause issues like the one you're encountering.
To address this problem, you have a few options:
-
Use the
allowAnonymousAccess
property: Set this totrue
when creating your FileSystem. This will allow access from anonymous clients without IAM authentication, which should prevent the creation of the restrictive default policy. -
Modify your custom policy: Ensure that your custom policy includes all necessary permissions, including
elasticfilesystem:ClientMount
. Your current custom policy looks good, but make sure it's being applied correctly. -
Use the
addToResourcePolicy
method: Instead of setting the policy during creation, you can add your custom policy after the FileSystem is created using theaddToResourcePolicy
method. -
Check CDK version and feature flags: Ensure you're using the latest version of CDK and check if there are any feature flags that might be affecting the default behavior.
Here's an example of how you might modify your code:
const fileSystem = new efs.FileSystem(this, 'MyEfsFileSystem', { vpc: vpc, vpcSubnets: { subnetGroupName: 'PrivateSubnetASG' }, securityGroup: efs_security_group, removalPolicy: cdk.RemovalPolicy.DESTROY, lifecyclePolicy: efs.LifecyclePolicy.AFTER_14_DAYS, performanceMode: efs.PerformanceMode.GENERAL_PURPOSE, throughputMode: efs.ThroughputMode.BURSTING, allowAnonymousAccess: true, // This should prevent the default restrictive policy enableAutomaticBackups: false }); // If you still need to add a custom policy, you can do so after creation: fileSystem.addToResourcePolicy(new iam.PolicyStatement({ actions: ['elasticfilesystem:ClientMount', 'elasticfilesystem:ClientWrite', 'elasticfilesystem:ClientRootAccess'], principals: [new iam.AnyPrincipal()], resources: ['*'], conditions: { Bool: { 'elasticfilesystem:AccessedViaMountTarget': 'true' } } }));
If these steps don't resolve the issue, you may need to check for any organization-wide policies or settings that could be overriding your configuration. Also, ensure that the IAM role attached to your EC2 instance has the necessary permissions to mount the EFS file system.
Sources
interface FileSystemProps · AWS CDK
class FileSystem (construct) · AWS CDK
Relevant content
- asked 3 years ago
- asked a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a year ago