1EFS(8) System Manager's Manual EFS(8)
2
6 mount.efs - Mount helper for using Amazon EFS file systems.
7
9 mount.efs fs-id-or-dns-name mount-point [-o options]
10
12 mount.efs is part of the amazon-efs-utils package, which simplifies us‐
13 ing EFS file systems.
14 mount.efs is meant to be used through the mount(8) command for mounting
16 EFS file systems.
17 fs-id-or-dns-name has to be of one of the following two forms:
19 • An EFS filesystem ID in the form of "fs-abcd1234", generated
21 when the file system is created.
22 • A domain name that has a resolvable DNS-CNAME record, which in
24 turn points to a fully-qualified EFS DNS name in the form of
25 "fs-abcd1234.efs.us-east-1.amazonaws.com" or
26 "us-east-1a.fs-abcd1234.efs.us-east-1.amazonaws.com".
27 mount-point is the local directory on which the file system will be
29 mounted.
30 mount.efs automatically applies the following NFS options:
32 nfsvers=4.1
34 rsize=1048576
35 wsize=1048576
36 hard
37 timeo=600
38 retrans=2
39 noresvport
40 tls (for Mac distributions)
41 By default, when using the Amazon EFS mount helper with Transport Layer
43 Security (TLS), the mount helper enforces the certificate hostname
44 checking and disables the use of Online Certificate Status Protocol
45 (OCSP). These options can be configured in the config file located at
46 /etc/amazon/efs/efs-utils.conf.
47 Additionally, the Amazon EFS mount helper has built-in logging for
49 troubleshooting purposes. These logs are located at /var/log/ama‐
50 zon/efs.
51 It is possible to configure your Amazon EC2 instance to automatically
53 remount your Amazon EFS file system when it reboots. For more informa‐
54 tion, see the online documentation at: https://docs.aws.ama‐
55 zon.com/efs/latest/ug/mount-fs-auto-mount-onreboot.html.
56
58 -o, Options are specified with a -o flag followed by a comma separated
59 string of options. All of the options specified in nfs(5) are avail‐
60 able, in addition to the following EFS-specific options:
61 tls Mounts the EFS file system over TLS. For EC2 instances using
63 Mac distributions, this option is by default passed and the
64 EFS file system is mounted over TLS.
65 notls Mounts the EFS file system without TLS, applies for Mac dis‐
67 tributions only.
68 tlsport=n
70 Configure the TLS relay to listen on the specified port. By
71 default, the tlsport is choosing randomly from port range
72 defined in the config file located at /etc/ama‐
73 zon/efs/efs-utils.conf.
74 verify=n
76 Verify TLS certificates using the specified stunnel verify
77 level. For more information, see stunnel(8).
78 ocsp / noocsp
80 Selects whether to perform OCSP validation on TLS certifi‐
81 cates, overriding /etc/amazon/efs/efs-utils.conf. By default
82 OCSP is disabled. For more information, see stunnel(8).
83 iam Use the system's IAM identity to authenticate with EFS. The
85 mount helper will try to retrieve the required IAM creden‐
86 tials from the following locations: the aws credentials URI
87 passed by mount option, the AWS CLI credentials file
88 (~/.aws/credentials), and the AWS CLI config file
89 (~/.aws/config), the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
90 environment variable, the AssumeRoleWithWebIdentity, the EC2
91 instance profile. The first location that has credentials
92 will be used. This option requires the tls option.
93 rolearn
95 Role ARN for IAM authentication with AssumeRoleWithWebIden‐
96 tity API.
97 jwtpath
99 Identity token for IAM authentication with AssumeRoleWithWe‐
100 bIdentity API.
101 accesspoint
103 Mount the EFS file system using the specified access point.
104 This option requires the tls option. The access point must
105 be in the "available" state before it can be used to mount
106 EFS.
107 awsprofile
109 Use the named profile used to lookup IAM credentials in the
110 AWS CLI credentials file (~/.aws/credentials) or AWS CLI
111 config file (~/.aws/config). If botocore is installed, as‐
112 sume the named profile and use the credentials of the as‐
113 sumed profile. If "awsprofile" is not specified, the "de‐
114 fault" profile is used.
115 awscredsuri
117 Use the relative uri to lookup IAM credentials from ecs task
118 metadata endpoint.
119 cafile Use the cafile as the stunnel certificate authority file.
121 netns Mount the EFS file system to the specified network name‐
123 space.
124 az Mount the EFS file system to the specified availability zone
126 mount target.
127 mountport
129 Use the port 2049 to bypass portmapper daemon on EC2 Mac in‐
130 stances running macOS Big Sur.
131 mounttargetip
133 Mount the EFS file system to the specified mount target ip
134 address.
135
137 sudo mount -t efs fs-abcd1234 /mnt/efs
138 Mount an EFS file system with file system ID "fs-abcd1234" at
139 mount point "/mnt/efs" without encryption of data in transit.
140 sudo mount -t efs -o mounttargetip=192.0.0.1 /mnt/efs
142 Mount an EFS file system with file system ID "fs-abcd1234" on
143 the mount target that belongs to the file system with address
144 "192.0.0.1" without encryption of data in transit.
145 sudo mount -t efs -o netns=/proc/1/net/ns fs-abcd1234 /mnt/efs
147 Mount an EFS file system with file system ID "fs-abcd1234" at
148 mount point "/mnt/efs" without encryption of data in transit in
149 given network namespace '/proc/1/net/ns'
150 sudo mount -t efs -o az=us-east-1a fs-abcd1234 /mnt/efs
152 Mount an EFS file system with file system ID "fs-abcd1234" at
153 mount point "/mnt/efs" to the mount target in availability zone
154 us-east-1a
155 sudo mount -t efs fs-abcd1234:/child /mnt/efs
157 Mount a non-root directory of an EFS file system with file sys‐
158 tem ID "fs-abcd1234" at mount point "/mnt/efs" without encryp‐
159 tion of data in transit.
160 sudo mount -t efs -o tls fs-abcd1234 /mnt/efs
162 Mount an EFS file system with file system ID "fs-abcd1234" at
163 mount point "/mnt/efs" using encryption of data in transit.
164 sudo mount -t efs -o tls,verify=0 fs-abcd1234 /mnt/efs
166 Mount an EFS file system with file system ID "fs-abcd1234" at
167 mount point "/mnt/efs" using encryption of data in transit and a
168 verify level of 0.
169 sudo mount -t efs -o tls,ocsp fs-abcd1234 /mnt/efs
171 Mount an EFS file system with file system ID "fs-abcd1234" at
172 mount point "/mnt/efs" using encryption of data in transit and
173 with OCSP validation enabled.
174 sudo mount -t efs custom-cname.example.com /mnt/efs
176 Mount an EFS file system using the custom DNS name "custom-
177 cname.example.com" — which has to resolve to a fully-qualified
178 EFS DNS name such as "fs-abcd1234.efs.us-east-1.amazonaws.com" —
179 at mount point "/mnt/efs" without encryption of data in transit.
180 sudo mount -t efs -o tls custom-cname.example.com /mnt/efs
182 Mount an EFS file system using the custom DNS name "custom-
183 cname.example.com" — which has to resolve to a fully-qualified
184 EFS DNS name such as "fs-abcd1234.efs.us-east-1.amazonaws.com" —
185 at mount point "/mnt/efs" using encryption of data in transit.
186 sudo mount -t efs -o tls,iam fs-abcd1234 /mnt/efs
188 Mount an EFS file system with file system ID "fs-abcd1234" at
189 mount point "/mnt/efs" with encryption of data in transit. The
190 mount helper will authenticate with EFS using the system's IAM
191 identity.
192 sudo mount -t efs -o tls,iam,rolearn="ROLE_ARN",jwtpath="PATH/JWT_TO‐
194 KEN_FILE" fs-abcd1234 /mnt/efs
195 Mount an EFS file system with file system ID "fs-abcd1234" at
196 mount point "/mnt/efs" with encryption of data in transit. The
197 mount helper will assume the role "ROLE_ARN" by calling the As‐
198 sumeRoleWithWebIdentity API with the identity token at
199 "PATH/JWT_TOKEN_FILE".
200 sudo mount -t efs -o tls,iam,awsprofile=test-profile fs-abcd1234
202 /mnt/efs
203 Mount an EFS file system with file system ID "fs-abcd1234" at
204 mount point "/mnt/efs" with encryption of data in transit. The
205 mount helper will authenticate with EFS using the system's IAM
206 identity named profile "test profile", for which the credentials
207 are retrieved either from /root/.aws/credentials or
208 /root/.aws/config. If the credentials are not present in the
209 credentials or config files, and there is a "[profile test-pro‐
210 file]" section in the /root/.aws/config file, the mount helper
211 will assume the named profile "test-profile" based on the pro‐
212 file section configuration in root/.aws/config and use the cre‐
213 dentials retrieved with botocore to mount (botocore must be pre-
214 installed).
215 sudo mount -t efs -o tls,accesspoint=fsap-12345678 fs-abcd1234 /mnt/efs
217 Mount an EFS file system with file system ID "fs-abcd1234" at
218 mount point "/mnt/efs" with encryption of data in transit. The
219 file system is mounted using the access point "fsap-12345678".
220
222 /sbin/mount.efs
223 The executable for the Amazon EFS mount helper.
224 /usr/bin/amazon-efs-mount-watchdog
226 The executable for the supervisor process that monitors the net‐
227 work relay.
228 /etc/amazon/efs/efs-utils.conf
230 The configuration file for the Amazon EFS mount helper.
231 /etc/amazon/efs/efs-utils.crt
233 The default Certificate Authority file used by the Amazon EFS
234 mount helper.
235 /etc/init/amazon-efs-mount-watchdog.conf
237 The configuration file for the supervisor process.
238 /var/log/amazon/efs/
240 The directory where logs for the Amazon EFS mount helper, the
241 stunnel network relay, and the supervisor process are stored.
242 /usr/share/man/man8/mount.efs.8
244 The man page for the Amazon EFS mount helper.
245
247 For more information on using the amazon-efs-utils package, see
248 https://docs.aws.amazon.com/efs/latest/ug/using-amazon-efs-utils.html
249 in the Amazon EFS User Guide.
250 The paths on EC2 MacOS instances are relocated under /usr/local/Cel‐
252 lar/amazon-efs-utils/<version>/libexec directory.
253
255 nfs(8), stunnel(8), fstab(5)
256
258 Copyright 2017-2018 Amazon.com, Inc. and its affiliates. All Rights Re‐
259 served.
260 EFS(8)