ECS - FileSystemNotFound: File system does not exist-CodePudding

I have an ECS service which is of Launch Type EC2 owned by an AWS account A. Our IT team has created an FSx storage owned by an AWS Account B:

When I try to launch tasks I get this not authorized error in the Stopped reason section of the task:

 Fsx describing filesystem(s) from the service for [fs-0fd8b05f434cf0e72]: 
FileSystemNotFound: File system 'fs-0fd8b05f434cf0e72' does not exist.

I have attached those 2 policies to the EC2 (container host) instance:

AmazonFSxReadOnlyAccess (AWS Managed)
fsx_mount (Customer Managed)

fsx_mount:

{
    "Statement": [
        {
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:secretsmanager:us-west-2:111111111111:secret:dev/rushmore/ad-account-NKOkyh"
        },
        {
            "Action": [
                "fsx:*",
                "ds:DescribeDirectories"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:fsx:eu-west-1:222222222222:file-system/fs-0fd8b05f434cf0e72"
        }
    ],
    "Version": "2012-10-17"
}

Note that the account id of 222222222222 represents AWS Account B.

Terraform aws_ecs_task_definition:

resource "aws_ecs_task_definition" "participants_task" {
  volume {
    name = "FSxStorage"
    fsx_windows_file_server_volume_configuration {
      file_system_id = "fs-0fd8b05f434cf0e72"
      root_directory = "\\data"

      authorization_config {
        credentials_parameter = aws_secretsmanager_secret_version.fsx_account_secret.arn
        domain                = var.domain
      }
    }
  }
  ...
}

I am not sure why ECS cannot "see" the FSx file system. Surely it must be because it is in another AWS account but I don't know what changes are required in order to fix this.

CodePudding user response：

From AWS documentation:

You can access your FSx for Windows File Server file system from compute instances in a different VPC, AWS account, or AWS Region from that associated with your file system. To do so, you can use VPC peering or transit gateways. When you use a VPC peering connection or transit gateway to connect VPCs, compute instances that are in one VPC can access Amazon FSx file systems in another VPC. This access is possible even if the VPCs belong to different accounts, and even if the VPCs reside in different AWS Regions.

The short version of the above text is that your ECS service and Amazon FSx Windows File server either need to be in the same VPC or need to be in VPCs which are connected to each other (via VPC peering or Transit Gateway).