Configuring file system access for Lambda functions
You can configure a function to mount an Amazon Elastic File System (Amazon EFS) file system to a local directory. With Amazon EFS, your function code can access and modify shared resources safely and at high concurrency.
Sections
Execution role and user permissions
If the file system doesn't have a user-configured Amazon Identity and Access Management (IAM) policy, EFS uses a default policy that grants full access to any client that can connect to the file system using a file system mount target.
If the file system has a user-configured IAM policy, your function's
execution role must have the correct elasticfilesystem permissions.
Execution role permissions
-
elasticfilesystem:ClientMount
-
elasticfilesystem:ClientWrite (not required for read-only connections)
These permissions are included in the AmazonElasticFileSystemClientReadWriteAccess managed policy. Additionally, your execution role must have the permissions required to connect to the file system's VPC.
When you configure a file system, Lambda uses your permissions to verify mount targets. To configure a function to connect to a file system, your user needs the following permissions:
User permissions
-
elasticfilesystem:DescribeMountTargets
Configuring a file system and access point
Create a file system in Amazon EFS with a mount target in every Availability Zone that your function connects to. For performance and resilience, use at least two Availability Zones. For example, in a simple configuration you could have a VPC with two private subnets in separate Availability Zones. The function connects to both subnets and a mount target is available in each. Ensure that NFS traffic (port 2049) is allowed by the security groups used by the function and mount targets.
Note
When you create a file system, you choose a performance mode that can't be changed later. General purpose mode has lower latency, and Max I/O mode supports a higher maximum throughput and IOPS. For help choosing, see Amazon EFS performance in the Amazon Elastic File System User Guide.
An access point connects each instance of the function to the right mount target for the Availability Zone it
connects to. For best performance, create an access point with a non-root path, and limit the number of files that
you create in each directory. The
following example creates a directory named my-function on the file system and sets the owner ID to
1001 with standard directory permissions (755).
Example access point configuration
-
Name –
files -
User ID –
1001 -
Group ID –
1001 -
Path –
/my-function -
Permissions –
755 -
Owner user ID –
1001 -
Group user ID –
1001
When a function uses the access point, it is given user ID 1001 and has full access to the directory.
For more information, see the following topics in the Amazon Elastic File System User Guide:
Connecting to a file system (console)
A function connects to a file system over the local network in a VPC. The subnets that your function connects to can be the same subnets that contain mount points for your file system, or subnets in the same Availability Zone that can route NFS traffic (port 2049) to the file system.
Note
If your function is not already connected to a VPC, see Connecting outbound networking to resources in a VPC.
To configure file system access
Open the Functions page
of the Lambda console. -
Choose a function.
-
Choose Configuration and then choose File systems.
-
Under File system, choose Add file system.
-
Configure the following properties:
-
EFS file system – The access point for a file system in the same VPC.
-
Local mount path – The location where the file system is mounted on the Lambda function, starting with
/mnt/.
-
Pricing
Amazon EFS charges for storage and throughput, with rates that vary by storage class. For details, see Amazon EFS pricing
Lambda charges for data transfer between VPCs. This only applies if your function's VPC is peered to another
VPC with a file system. The rates are the same as for Amazon EC2 data transfer between VPCs in the same Region. For
details, see Lambda pricing
For more information about Lambda's integration with Amazon EFS, see Using Amazon EFS with Lambda.
Configuring file system access with the Lambda API
Use the following API operations to connect your Lambda function to a file system:
To connect a function to a file system, use the update-function-configuration command. The
following example connects a function named my-function to a file system with ARN of an access
point.
ARN=arn:aws-cn:elasticfilesystem:us-east-2:123456789012:access-point/fsap-015cxmplb72b405fdaws lambda update-function-configuration --function-name my-function \ --file-system-configs Arn=$ARN,LocalMountPath=/mnt/efs0
You can get the ARN of a file system's access point with the describe-access-points
command.
aws efs describe-access-points
You should see the following output:
{ "AccessPoints": [ { "ClientToken": "console-aa50c1fd-xmpl-48b5-91ce-57b27a3b1017", "Name": "lambda-ap", "Tags": [ { "Key": "Name", "Value": "lambda-ap" } ], "AccessPointId": "fsap-015cxmplb72b405fd", "AccessPointArn": "arn:aws-cn:elasticfilesystem:us-east-2:123456789012:access-point/fsap-015cxmplb72b405fd", "FileSystemId": "fs-aea3xmpl", "RootDirectory": { "Path": "/" }, "OwnerId": "123456789012", "LifeCycleState": "available" } ] }
Mounting an Amazon EFS file system in another Amazon Web Services account
You can configure a function to mount an Amazon EFS file system in another Amazon Web Services account. Before you mount the file system, you must ensure the following:
-
VPC peering must be configured, and appropriate routes must be added to the route tables in each VPC.
-
The security group for the Amazon EFS file system you want to mount must be configured to allow inbound access from the security group associated with your Lambda function.
-
Subnets must be created in each VPC with matching Availability Zone (AZ) IDs.
-
DNS Hostnames must be enabled in both VPCs.
For your Lambda function to access an Amazon EFS file system in another Amazon Web Services account, that file system must also have a file system policy that grants permission to your funtion. To learn how to create a file system policy, see Creating file system policies in the Amazon Elastic File System User Guide.
The following shows an example policy that gives Lambda functions in a specified account permission to perform all API actions on a file system.
{ "Version": "2012-10-17", "Id": "efs-lambda-policy", "Statement": [ { "Sid": "efs-lambda-statement", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::{LAMBDA-ACCOUNT-ID}:root" }, "Action": "*", "Resource": "arn:aws:elasticfilesystem:{REGION}:{ACCOUNT-ID}:file-system/{FILE SYSTEM ID}" } ] }
Note
The example policy shown uses the wildcard charcter ("*") to grant permissions for Lambda functions in the specified Amazon Web Services account to perform any API operation on the filesystem. This includes deleting the filesystem. To limit the operations that other Amazon Web Services accounts can perform on your filesystem, specify the actions you want to allow explicitly. For a list of possible API operations, see Actions, resources, and condition keys for Amazon Elastic File System.
To configure cross-account file system mounting, you use the Amazon Command Line Interface (Amazon CLI) update-function-configuration operation.
To mount a file system in another Amazon Web Services account, run the following command. Use your own function name and replace the Amazon Resource
Name (ARN) with the ARN of the Amazon EFS access point for the file system you want to mount. LocalMountPath is the path where the
function can access the file system, starting with /mnt/. Ensure that the Lambda mount path matches the access point path for the
filesystem. For example, if the access point is /efs, the Lambda mount path must be /mnt/efs.
aws lambda update-function-configuration --function-nameMyFunction\ --file-system-configs Arn=arn:aws:elasticfilesystem:us-east-1:222233334444:access-point/fsap-01234567,LocalMountPath=/mnt/test
Amazon CloudFormation and Amazon SAM
You can use Amazon CloudFormation and the Amazon Serverless Application Model (Amazon SAM) to automate the creation of Lambda applications. To enable a file
system connection on an Amazon SAM AWS::Serverless::Function resource, use the
FileSystemConfigs property.
Example template.yml – File system configuration
Transform: AWS::Serverless-2016-10-31 Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0/16 Subnet1: Type: AWS::EC2::Subnet Properties: VpcId: Ref: VPC CidrBlock: 10.0.1.0/24 AvailabilityZone:"us-west-2a"EfsSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: VpcId: Ref: VPC GroupDescription: "mnt target sg" SecurityGroupIngress: - IpProtocol: -1 CidrIp: "0.0.0.0/0" FileSystem: Type: AWS::EFS::FileSystem Properties: PerformanceMode: generalPurpose AccessPoint: Type: AWS::EFS::AccessPoint Properties: FileSystemId: Ref: FileSystem PosixUser: Uid: "1001" Gid: "1001" RootDirectory: CreationInfo: OwnerGid: "1001" OwnerUid: "1001" Permissions: "755" MountTarget1: Type: AWS::EFS::MountTarget Properties: FileSystemId: Ref: FileSystem SubnetId: Ref: Subnet1 SecurityGroups: - Ref: EfsSecurityGroup MyFunctionWithEfs: Type: AWS::Serverless::Function Properties: Handler: index.handler Runtime: python3.10 VpcConfig: SecurityGroupIds: - Ref: EfsSecurityGroup SubnetIds: - Ref: Subnet1 FileSystemConfigs: - Arn: !GetAtt AccessPoint.Arn LocalMountPath: "/mnt/efs" Description: Use a file system. DependsOn: "MountTarget1"
You must add the DependsOn to ensure that the mount targets are fully created before the Lambda
runs for the first time.
For the Amazon CloudFormation AWS::Lambda::Function type, the property name and fields are the same. For more
information, see Using Amazon Lambda with Amazon CloudFormation.
Sample applications
The GitHub repository for this guide includes a sample application that demonstrates the use of Amazon EFS with a Lambda function.
-
efs-nodejs
– A function that uses an Amazon EFS file system in a Amazon VPC. This sample includes a VPC, file system, mount targets, and access point configured for use with Lambda.