1

I have an ECS service which is of Launch Type EC2 owned by an AWS account A. Our IT team has created an FSx storage owned by an AWS Account B:

enter image description here

When I try to launch tasks I get this not authorized error in the Stopped reason section of the task:

 Fsx describing filesystem(s) from the service for [fs-0fd8b05f434cf0e72]: 
FileSystemNotFound: File system 'fs-0fd8b05f434cf0e72' does not exist.

I have attached those 2 policies to the EC2 (container host) instance:

  • AmazonFSxReadOnlyAccess (AWS Managed)
  • fsx_mount (Customer Managed)

fsx_mount:

{
    "Statement": [
        {
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:secretsmanager:us-west-2:111111111111:secret:dev/rushmore/ad-account-NKOkyh"
        },
        {
            "Action": [
                "fsx:*",
                "ds:DescribeDirectories"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:fsx:eu-west-1:222222222222:file-system/fs-0fd8b05f434cf0e72"
        }
    ],
    "Version": "2012-10-17"
}

Note that the account id of 222222222222 represents AWS Account B.

Terraform aws_ecs_task_definition:

resource "aws_ecs_task_definition" "participants_task" {
  volume {
    name = "FSxStorage"
    fsx_windows_file_server_volume_configuration {
      file_system_id = "fs-0fd8b05f434cf0e72"
      root_directory = "\\data"

      authorization_config {
        credentials_parameter = aws_secretsmanager_secret_version.fsx_account_secret.arn
        domain                = var.domain
      }
    }
  }
  ...
}

I am not sure why ECS cannot "see" the FSx file system. Surely it must be because it is in another AWS account but I don't know what changes are required in order to fix this.

Georgi Koemdzhiev
  • 11,421
  • 18
  • 62
  • 126
  • Is the VPC for your ECS service and VPC for your FSx file system connected via VPC Peering, Transit Gateway or some other way? – Kaustubh Khavnekar Jan 19 '22 at 19:35
  • 1
    Hi @KaustubhKhavnekar, I think both the ECS service and the FSx file system are on the same VPC (but different regions) so there would not be a need to do VPC Peering. – Georgi Koemdzhiev Jan 20 '22 at 12:02
  • 1
    In AWS it is not possible to have the same VPC across multiple regions, even in the same account – Kaustubh Khavnekar Jan 20 '22 at 12:21
  • 1
    Thank you @KaustubhKhavnekar. I will check the VPC of the FSx storage but you might be right, it could be that it is a different VPC. The issue could be that we are missing VPC Peering, am I correct? – Georgi Koemdzhiev Jan 20 '22 at 16:12
  • 1
    The last section of [this page](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/supported-fsx-clients.html#access-environments) mentions it as a requirement. – Kaustubh Khavnekar Jan 20 '22 at 16:28
  • 1
    @KaustubhKhavnekar thank you! Yes, it does sound like this is the problem! Please add your commend as an answer to me question :) – Georgi Koemdzhiev Jan 20 '22 at 16:38
  • I have added it as an answer since it definitely seems to be a prerequisite and might solve the issue for someone who finds this question in the future. However I don't have experience with Amazon FSx (apart from reading the documentation a bit yesterday) so I might have missed something else wrong in your configuration – Kaustubh Khavnekar Jan 20 '22 at 17:09
  • I would suggest not accepting my answer unless you are sure this would solve the issue, someone else might have more insights – Kaustubh Khavnekar Jan 20 '22 at 17:11
  • Thank you @KaustubhKhavnekar, that is a good idea. I am not 100% that VPC Peering is in place between the 2 VPCs. I am still waiting for IT to confirm that – Georgi Koemdzhiev Jan 21 '22 at 13:44
  • I have checked with our TechOps team and they confirmed that VPC Peering is in place between the two VPCs. So this is not the problem causing my. Issue – Georgi Koemdzhiev Jan 27 '22 at 08:07

1 Answers1

1

From AWS documentation:

You can access your FSx for Windows File Server file system from compute instances in a different VPC, AWS account, or AWS Region from that associated with your file system. To do so, you can use VPC peering or transit gateways. When you use a VPC peering connection or transit gateway to connect VPCs, compute instances that are in one VPC can access Amazon FSx file systems in another VPC. This access is possible even if the VPCs belong to different accounts, and even if the VPCs reside in different AWS Regions.

The short version of the above text is that your ECS service and Amazon FSx Windows File server either need to be in the same VPC or need to be in VPCs which are connected to each other (via VPC peering or Transit Gateway).

Kaustubh Khavnekar
  • 2,553
  • 2
  • 14