How to configure permissions between EFS and EC2

Question

I'm trying to use CloudFormation to setup a mongod instance using EFS storage, and I'm having problems understanding how to configure the file system permissions to make it work.

The EFS is not going to be accessed by any existing systems, so I can configure it exactly as I need to.

I was trying to use the following AWS example as a starting point ...

https://docs.amazonaws.cn/en_us/AWSCloudFormation/latest/UserGuide/aws-resource-efs-accesspoint.html

AccessPointResource:
Type: 'AWS::EFS::AccessPoint'
Properties:
  FileSystemId: !Ref FileSystemResource
  PosixUser:
    Uid: "13234"
    Gid: "1322"
    SecondaryGids:
      - "1344"
      - "1452"
  RootDirectory:
    CreationInfo:
      OwnerGid: "708798"
      OwnerUid: "7987987"
      Permissions: "0755"
    Path: "/testcfn/abc"

In the above example, they seem to have assigned arbitrary group and user id's. What I'm trying to figure out is given the above, how would the user accounts on the EC2 need to be configured to allow full read/write access?

I've got to the point where I'm able to mount the access point, but I haven't been able to successfully write to it.

What I've tried...

Created a new user on the EC2, and assigned the uid and gid like so...

sudo usermod -u 13234 testuser1
sudo groupmod -g 1322 testuser1

I then sudo to that user and try writing a file to the mount point... No luck

I then tried assigning the uid and gid like so...

sudo usermod -u 7987987 testuser1
sudo groupmod -g 708798 testuser1

Again, no luck writing a file.

What I'm really looking for is the simplest configuration where I can have a single EC2 user have full read/write access to an EFS folder. It will be a new EFS and new EC2, so I have full control over how it's setup, if that helps.

Possibly the examples assume some existing knowledge of the workings of NFS, which I may be lacking.

Answer 1

Just in case it helps anyone, I ended up defining my Access Point like so...

   AccessPointResource:
    Type: 'AWS::EFS::AccessPoint'
    Properties:
      FileSystemId: !Ref FileSystemResource
      PosixUser:
        Uid: "9960"
        Gid: "9940"
      RootDirectory:
        CreationInfo:
          OwnerGid: "9940"
          OwnerUid: "9960"
          Permissions: "0755"
        Path: "/mongo-db"

and then in my userdata for the mongodb server EC2, I added this...

sudo groupadd --system --gid 9940 mongod
sudo useradd --system --uid 9960 --gid 9940 mongod

I'm not actually sure if the gid and uid above need to match what I've defined in the AccessPoint, but it seems to make it easier, as then the server will show the owner of the files as "mongod mongod".

I mounted the EFS like so...

sudo mkdir -p /mnt/var/lib/mongo
sudo sudo mount -t efs -o tls,accesspoint=${AccessPointId} ${FileSystemId}: /mnt/var/lib/mongo

I'm still a bit confused about the original AWS provided example. If my understanding is correct, it seems it would always create a root directory which cannot be written to.

Perhaps someone can clarify where it might be helpful to have the root directory owned by a different user to the one specified in the PosixUser.