Why is my EFS File system policy blocking Fargate from mounting the EFS even though it includes the Task Execution Role arn?

I'm currently using an EFS mounted on a Fargate task. The task uses roles CustomECSTaskExecutionAgent for task execution and CustomECSTaskAgent for the task. With no file system policy in place, Fargate mounts fine and my task is able to read/write to the EFS. However, my company requires a File System Policy for each EFS so I added the following ``` { "Version": "2012-10-17", "Id": "efs-statement-8e30733a-a93f-414f-b5b6-284bd5a02c0a", "Statement": [ { "Sid": "efs-statement-7c9d03e6-379b-422e-afe6-4d92e7ff4303", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<accountid>:role/CustomECSTaskAgent", "arn:aws:iam::<accountid>:role/CustomECSTaskExecutionAgent", "arn:aws:iam::<accountid>:role/CustomEC2Agent" ] }, "Action": "elasticfilesystem:*", "Resource": "arn:aws:elasticfilesystem:us-east-1:<accountid>:file-system/fs-id" } ] } ``` With this policy Fargate is not able to mount the drive, I get the following error: `ResourceInitializationError: failed to invoke EFS utils commands to set up EFS volumes: stderr: b'mount.nfs4: access denied by server while mounting' : unsuccessful EFS utils command execution; code: 32` If I add the following statement to the policy then Fargate is able to mount the drive but the task fails immediately because it is not able to read/write. I cannot keep the below statement because it is too permissive and I'd like to know what Principal I need for 1. Fargate to mount successfully 2. For my task to read/write ``` { "Sid": "efs-statement-7c9d03e6-379b-422e-afe6-4d92e7ff4303", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "elasticfilesystem:ClientMount", "Resource": "arn:aws:elasticfilesystem:us-east-1:<accountid>:file-system/fs-id" } ```
asked a month ago