12

I've created a lambda function. I created a Elastic File System (EFS) and access points using all the default settings. I attached the EFS to the lambda function, again just using the defaults.

But! There is no write access to EFS.

What did I miss?

Hope some kind person knows :)

Notes....

The current answer doesn't seem to work. I've also been onto AWS support for over a week. They seem to think the EFS is not mounting.

EFS is mounted to lambda at = /mnt/fs

EFS Access point - Root Directory Path = / (A suggestion of changing this to /fs causes an internal server error, AWS support suggested /mnt/fs which also causes an internal service error).

AmazonElasticFileSystemClientFullAccess and AWSLambdaVPCAccessExecutionRole added to execution role.

Test Node js example:

exports.handler = function(event, ctx, callback) {
    const fs = require("fs");
    fs.mkdir('/mnt/fs/newfolder', { recursive: true }, (err) => {
        callback(null, {
            statusCode: 200,
            "content-type": "text/html",
            body: (err || "ok").toString()
        })
    });
};
Gordon Truslove
  • 257
  • 3
  • 10
  • Hi Gordon, did you ever find an answer? I have been stuck on this for many hours now. Just trying to save an img to EFS from Lambda and have tried all the suggestions. Still getting a Permission Error. Thanks for posting your question! – Luke Buthman Sep 24 '21 at 23:56
  • 1
    @LukeButhman My answer is the 2nd answer. I've since given up on AWS and moved to app engine on google cloud as it's a lot easier. – Gordon Truslove Sep 27 '21 at 08:10

4 Answers4

11

The aws documentation misses the part about posix user settings, but a blog post explains it.

To add EFS to lambda.

AmazonElasticFileSystemClientFullAccess and AWSLambdaVPCAccessExecutionRole permissions need to be added to the execution role.

EFS is mounted to lambda at = /mnt/fs EFS Access point path = /mnt/fs

Add a posix user to the acccess point. User 1000, group 1000 & permissions 0777.

As explained in this blog post:

https://aws.amazon.com/blogs/compute/using-amazon-efs-for-aws-lambda-in-your-serverless-applications/

Gordon Truslove
  • 257
  • 3
  • 10
7

Your Lambda execution role must have AmazonElasticFileSystemClientFullAccess attached to it, to write EFS.

To Add, Go to Lambda > Permission > Execution role and click on the role name.

Now, the role will get opened,Click on Add Policy under permissions and add AmazonElasticFileSystemClientFullAccess and AWSLambdaVPCAccessExecutionRole

Also verify if you have properly set root directory path and mount point in Lambda & EFS Access point.

If mount point in lambda File System is /mnt/fs/ then your Root directory path in Access point must be /fs

Atul Sharma
  • 9,397
  • 10
  • 38
  • 65
0
  • I had a similar problem and followed all the steps listed here, but nothing resolved it.
  • After further exploration, I discovered that when DataSync migrated files from S3 to EFS, it also changed the permissions on the EFS folder.

DataSync changed permission to nfsnobody

  • I was able to resolve this by creating an EC2, mounting EFS, and chown on the directory. I could then save as before.
Luke Buthman
  • 101
  • 1
  • 7
0

I had same problem that efs was read-only from lambda. I mapped efs to a ec2 linux instance and found that all files in this efs had "root" ownership. I think this was automatically done when "/" path was created in efs (maybe because I didn't specify USER/GROUP/permissions).

For example when I was logged as ec2-user (default user of the instance) I was able to read efs but not write , obviously because ec2-user isn't root. The permissions for the folders were drwxr-xr-x, which means only root was able to write and nobody else. Two different fixes both worked well: (a) sudo chmod -R 777 efs (b) sudo chown -R efs But 'b' is better as it changes ownershipt to ec2-user which also allows me to work with efs files from ec2 instance without 'sudo' Hope it helps!!

PavelS
  • 1
  • 1