AWS Lambda EFS | EACCES: permission denied

Question

So, I am trying to integrate my lambda function with EFS. I am able to access the root directory (as read-only from lambda) as I can see xyz directory available in my root dir. /mnt/ -> xyz

When I try to access /mnt/xyz or /mnt/xyz/ then I get this error:

{
  "errorType": "Error",
  "errorMessage": "EACCES: permission denied, scandir '/mnt/xyz/'",
  "trace": [
    "Error: EACCES: permission denied, scandir '/mnt/xyz/'",
    "    at Object.readdirSync (fs.js:948:3)",
    "    at Runtime.exports.handler (/var/task/index.js:19:24)",
    "    at Runtime.handleOnce (/var/runtime/Runtime.js:66:25)"
  ]
}

Permission given to the access point: 777

score 24 · Accepted Answer · edited Nov 21 '21 at 11:32

24

I tried to replicate the issue, and can verify that I had the same problem. The help came from the following GitHub issue: EFS permission denied.

The permission denied was caused by incorrectly set root and local mount point in the access point and lambda respectively. The correct setting that worked were:

Access point (note `/lambda`)

Lambda (note `/mnt/lambda`)

These settings enable successful access to the EFS.

edited Nov 21 '21 at 11:32

halfer

19,824
17
99
186

answered Aug 18 '20 at 09:26

Marcin

215,873
14
235
294

3

Thank you for the detailed response. Though, this is not what happened in my case as I was able to access the root dir (print `xyz` dir [sub dir inside efs] in lambda console). It surprisingly turned out to be a user/group id issue. – Nishant Thapliyal Aug 18 '20 at 19:32
1

@NishantThapliyal Thanks for letting me know. Glad it worked out eventually :-) – Marcin Aug 18 '20 at 21:11
1

I had the exact issue you described. Thanks @Marcin – Ring Oct 09 '20 at 21:38
1

@NishantThapliyal how did you resolve the user/groupid issue? – Paulo Jan 12 '21 at 11:02
1

@Paulo I've posted a detailed answer below. – Nishant Thapliyal Jan 13 '21 at 13:20

score 21 · Answer 2 · edited Nov 21 '21 at 11:15

21

The issue that I was facing was related to the user/group id (ownership). The file was produced by an application running on AWS EC2 instance and consumed by AWS Lambda function.

To find the owner/group of files use cmd ls -al

To find the owner/group IDs use cmd ls -n

As the file produced by the root (UID: 0) I need to set the owner id and group id as 0 at EFS access point

This configuration resolved my issue.

edited Nov 21 '21 at 11:15

halfer

19,824
17
99
186

answered Jan 13 '21 at 13:19

Nishant Thapliyal

1,540
17
28

I just ran the `ls -l` commands (temporarily) in a lambda itself to ensure that it could see the EFS. I also had to combine this with poking a port hole (2049, both in and out) into a security group, so that the EFS-to-lambda file traffic can get through. Thanks for your post. – halfer Nov 21 '21 at 11:31
2

After looking through dozens of posts and articles and every relevant AWS doc on the subject and absolutely nothing working, this resolved my write permission error for a Lambda trying to simply test writing a .txt file to EFS. All I had to do was change the user/owner IDs to 0. Thank you so much, it's absolutely ludicrous that this is opaque in the documentation. – Trent Yarosevich Mar 14 '22 at 00:00
+1 for setting UID GID to 0. 1000 never worked for my case, which I doubt it was due to my lambda was a docker layered lambda. I have not tried a native Lambda write with 1000. – Steve Mar 15 '23 at 18:21

AWS Lambda EFS | EACCES: permission denied

2 Answers2

Access point (note /lambda)

Lambda (note /mnt/lambda)

Access point (note `/lambda`)

Lambda (note `/mnt/lambda`)