Old EFS Access Points work but cannot mount a new one?

Could you share how you are configuring your Access Point? One thing to make sure of for new EFS Access Points is that the UID/GID you are configuring for your enforced identity has at least read+execute access for its home directory. For example, if you did not specify a home directory, it will default to /, which by default is not accessible by any users other than root.

The access points are defined very simply, they both share the same filesystem, they both have paths defined and I used names to identify them. So they both look like:

efs-file-system, access-point-1-name , /path/ap1/
efs-file-system, access-point-2-name, /path/ap2/

I did not add any of the optional POSIX user or creation user definitions. For the older Access Point this is working and files can be written and updated in the directory. I never get to attempt to write to the new Access Point as it's refusing to mount :(

Edited by: JSDev on Sep 21, 2020 9:35 AM

Thanks for the details. Could you PM me your access point id? I can look from our side and see what's going on.

Thanks for the info. In your access point configuration, you left the enforced identity (UID/GID) blank, which means EFS is going to trust the identity passed from the server, which will be the UID/GID that you are logged into your server as. Also, you are specifying a directory without CreationInfo, which means the directory won't be automatically created, and must already exist and be readable+executable by your server UID/GID. Therefore, there is one of two reasons why this is not working:

1. The directory in your second access point does not already exist in your EFS file system.
2. The directory exists, but the UID/GID you're logged into your server as doesn't have at least read+execute access to it.

The best way to make sure you don't get permission denieds with Access Points is to specify both the UID/GID of your user and use CreationInfo with your directory to make sure it gets created. For instance, you can create an access point with uid:1000, gid:1000, directory:/mydirectory, owneruid: 1000, ownergid:1000. With this, the directory will be created for you, and the owner information will match that of the access point, so you know you'll have access to it.

Ok Thanks, that was the missing step, creating the directories in the efs file system before or after creating the mount points. They need to exist before attempting to mount, otherwise you are correct the creation user and POSIX user id's need to be specified.