AWS：将 EFS 与 Fargate/ECS 容器结合使用

Question

I am attempting to use EFS with Fargate/ECS containers.我正在尝试将 EFS 与 Fargate/ECS 容器一起使用。 I have tested the EFS instance using multiple linux instances.我已经使用多个 linux 实例测试了 EFS 实例。 I tried to follow the example at https://aws.amazon.com/premiumsupport/knowledge-center/ecs-fargate-mount-efs-containers-tasks/我尝试按照https://aws.amazon.com/premiumsupport/knowledge-center/ecs-fargate-mount-efs-containers-tasks/中的示例进行操作

The container throws this error.容器抛出此错误。

Resourceinitializationerror: failed to invoke EFS utils commands to set up EFS volumes: stderr: b'mount.nfs4: access denied by server while mounting 127.0.0.1:/': unsuccessful EFS utils command execution;资源初始化错误：无法调用 EFS 实用程序命令来设置 EFS 卷：标准错误：b'mount.nfs4：安装 127.0.0.1 时服务器拒绝访问：/'：EFS 实用程序命令执行失败； code: 32代码：32

The EFS SecurityGroup: EFS 安全组：

Inbound :入境：
TCP--2049--10.0.0.0/16 (VPC CIDR) TCP--2049--10.0.0.0/16（专有网络网段）
All--All--sg-0bd22... (Container SG ID) All--All--sg-0bd22...（容器 SG ID）
Outbound:出站：
All--All--0.0.0.0/0全部--全部--0.0.0.0/0

The Container SecurityGroup容器安全组

Inbound:入境：
All--All--0.0.0.0/0全部--全部--0.0.0.0/0
Outbound:出站：
All--All--0.0.0.0/0全部--全部--0.0.0.0/0

This is my task definition:这是我的任务定义：

{
    "ipcMode": null,
    "executionRoleArn": "arn:aws:iam::327425660322:role/ecsTaskExecutionRole",
    "containerDefinitions": [
        {
            "dnsSearchDomains": null,
            "environmentFiles": null,
            "logConfiguration": {
                "logDriver": "awslogs",
                "secretOptions": null,
                "options": {
                    "awslogs-group": "/ecs/prefetch",
                    "awslogs-region": "us-east-2",
                    "awslogs-stream-prefix": "ecs"
                }
            },
            "entryPoint": null,
            "portMappings": [
                {
                    "hostPort": 80,
                    "protocol": "tcp",
                    "containerPort": 80
                }
            ],
            "command": null,
            "linuxParameters": null,
            "cpu": 0,
            "environment": [],
            "resourceRequirements": null,
            "ulimits": null,
            "dnsServers": null,
            "mountPoints": [
                {
                    "readOnly": null,
                    "containerPath": "/usr/share/nginx/html",
                    "sourceVolume": "efs-html"
                }
            ],
            "workingDirectory": null,
            "secrets": null,
            "dockerSecurityOptions": null,
            "memory": 128,
            "memoryReservation": null,
            "volumesFrom": [],
            "stopTimeout": null,
            "image": "nginx",
            "startTimeout": null,
            "firelensConfiguration": null,
            "dependsOn": null,
            "disableNetworking": null,
            "interactive": null,
            "healthCheck": null,
            "essential": true,
            "links": null,
            "hostname": null,
            "extraHosts": null,
            "pseudoTerminal": null,
            "user": null,
            "readonlyRootFilesystem": null,
            "dockerLabels": null,
            "systemControls": null,
            "privileged": null,
            "name": "nginx"
        }
    ],
    "memory": "512",
    "taskRoleArn": null,
    "family": "efs-tutorial",
    "pidMode": null,
    "requiresCompatibilities": [
        "FARGATE"
    ],
    "networkMode": "awsvpc",
    "runtimePlatform": {
        "operatingSystemFamily": "LINUX",
        "cpuArchitecture": null
    },
    "cpu": "256",
    "inferenceAccelerators": [],
    "proxyConfiguration": null,
    "volumes": [
        {
            "fsxWindowsFileServerVolumeConfiguration": null,
            "efsVolumeConfiguration": {
                "transitEncryptionPort": null,
                "fileSystemId": "fs-0d15c1e9184fffacd",
                "authorizationConfig": {
                    "iam": "DISABLED",
                    "accessPointId": "fsap-04a23206444492e37"
                },
                "transitEncryption": "ENABLED",
                "rootDirectory": "/"
            },
            "name": "efs-html",
            "host": null,
            "dockerVolumeConfiguration": null
        }
    ],
    "tags": []
}

I also am using the following policies as the task Execution Role:我还使用以下策略作为任务执行角色：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

And和

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudwatch:DescribeAlarmsForMetric",
                "cloudwatch:GetMetricData",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeNetworkInterfaceAttribute",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcs",
                "ec2:ModifyNetworkInterfaceAttribute",
                "elasticfilesystem:Backup",
                "elasticfilesystem:ClientRootAccess",
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:CreateFileSystem",
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:CreateMountTarget",
                "elasticfilesystem:CreateTags",
                "elasticfilesystem:CreateAccessPoint",
                "elasticfilesystem:CreateReplicationConfiguration",
                "elasticfilesystem:DeleteFileSystem",
                "elasticfilesystem:DeleteMountTarget",
                "elasticfilesystem:DeleteTags",
                "elasticfilesystem:DeleteAccessPoint",
                "elasticfilesystem:DeleteFileSystemPolicy",
                "elasticfilesystem:DeleteReplicationConfiguration",
                "elasticfilesystem:DescribeAccountPreferences",
                "elasticfilesystem:DescribeBackupPolicy",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeFileSystemPolicy",
                "elasticfilesystem:DescribeLifecycleConfiguration",
                "elasticfilesystem:DescribeMountTargets",
                "elasticfilesystem:DescribeMountTargetSecurityGroups",
                "elasticfilesystem:DescribeReplicationConfigurations",
                "elasticfilesystem:DescribeTags",
                "elasticfilesystem:DescribeAccessPoints",
                "elasticfilesystem:ModifyMountTargetSecurityGroups",
                "elasticfilesystem:PutAccountPreferences",
                "elasticfilesystem:PutBackupPolicy",
                "elasticfilesystem:PutLifecycleConfiguration",
                "elasticfilesystem:PutFileSystemPolicy",
                "elasticfilesystem:UpdateFileSystem",
                "elasticfilesystem:TagResource",
                "elasticfilesystem:UntagResource",
                "elasticfilesystem:ListTagsForResource",
                "elasticfilesystem:Restore",
                "kms:DescribeKey",
                "kms:ListAliases"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "iam:CreateServiceLinkedRole",
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "elasticfilesystem.amazonaws.com"
                    ]
                }
            }
        }
    ]
}

Answer 1

There are two things you need to fix:您需要修复两件事：

The IAM permissions for EFS access need to be on the ECS Task Role, not the ECS Execution Role. EFS 访问的 IAM 权限需要针对 ECS 任务角色，而不是 ECS 执行角色。
You need to enable IAM permission usage on the access point connection settings.您需要在接入点连接设置上启用 IAM 权限使用。 You currently have this disabled "iam": "DISABLED", .您目前已禁用此"iam": "DISABLED", 。 That means that all the IAM permissions you are trying to set are being ignored, and only the EFS volume's resource policy is being evaluated.这意味着您尝试设置的所有 IAM 权限都将被忽略，并且只会评估 EFS 卷的资源策略。

AWS：将 EFS 与 Fargate/ECS 容器结合使用

问题描述

1 个解决方案

解决方案1
0 2022-12-02 14:12:41

AWS：将 EFS 与 Fargate/ECS 容器结合使用

问题描述

1 个解决方案

解决方案1 0 2022-12-02 14:12:41

解决方案1
0 2022-12-02 14:12:41