AWS EFS CSI Driver follows with AssumeRole Error - cross account dynamic provisioning

[quanhk711]

/kind bug For cross account provisioning, the efs-csi-driver need IAM role to describe mount targets of the EFS file system. The driver will select an IP address from one of the mount targets on the EFS file system to perform cross-account mount.

The describe-mount-target IAM Role wasn't working when following this blog post: https://aws.amazon.com/blogs/storage/mount-amazon-efs-file-systems-cross-account-from-amazon-eks/

What happened?

failed to provision volume with StorageClass "corp-data-migration-file-preprod-efs": rpc
error: code = Internal desc = Failed to fetch Access Points or Describe File System: List
Access Points failed: AccessDenied: User: arn:aws:sts:xxxx-A:assumed-
role/TF_AWSEfsCsiDriverlAMPolicy_preprod/1709202420990880480 is not authorized
to perform: sts:AssumeRole on resource:
arn:awstiam::xxxx-B:role/EFSCrossAccountAccessAssumeRoleCorpPREPROD
status code: 403, request id: 564cefe0-28f6-4a9e-89db-1179bef01c0d

How to reproduce it (as minimally and precisely as possible)?

TF_AWSEfsCsiDriverIAMPolicy_preprod (eks account xxxx-A) :

{
    "Statement": [
        {
            "Action": [
                "elasticfilesystem:DescribeAccessPoints",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeMountTargets",
                "ec2:DescribeAvailabilityZones"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "elasticfilesystem:CreateAccessPoint"
            ],
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/efs.csi.aws.com/cluster": "true"
                }
            },
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "elasticfilesystem:TagResource"
            ],
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/efs.csi.aws.com/cluster": "true"
                }
            },
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "elasticfilesystem:DeleteAccessPoint",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/efs.csi.aws.com/cluster": "true"
                }
            },
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}

EFSCrossAccountAccessAssumeRoleCorpPREPROD Trust relationships (efs account xxxx-B):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxx-A:root"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Amazon EFS CSI Driver version: v1.7.5-eksbuild.2

[RyanStan]

Hi! As you pointed out, it looks like you're failing to assume the cross account role.

Did you complete step #2?

In the AWS account A hosting your EKS cluster, create and attach an IAM policy with sts assume permissions to cross-account IAM role created in Step 1. Attach this policy to IAM role associated with service account of driver’s controller service. { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::123456789012:role/EFSCrossAccountAccessRole" } }

Also, your policy looks correct, TF_AWSEfsCsiDriverIAMPolicy_preprod , but we recommend that customers use the EFS managed policy instead, AmazonEFSCSIDriverPolicy.

[quanhk711]

yes, I have completed step 2