Task timed out after 3.00 seconds while mounting EFS file system. Ensure that the VPC is configured correctly and the EFS mount target is in the same subnet as the Lambda function.
ID: cloud/aws-lambda-efs-mount-timeout-cross-account
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| AWS Lambda (Python 3.12 runtime) | active | — | — | — |
| Amazon EFS (NFSv4.1) | active | — | — | — |
| AWS RAM (Resource Access Manager) | active | — | — | — |
Root Cause
Lambda cannot mount EFS when the EFS file system is in a different VPC or account, even if VPC peering exists, because Lambda requires the mount target to be in the same VPC and subnet as the function's execution role.
generic中文
当 EFS 文件系统位于不同的 VPC 或账户中时,即使存在 VPC 对等连接,Lambda 也无法挂载 EFS,因为 Lambda 要求挂载目标与函数的执行角色位于同一 VPC 和子网中。
Official Documentation
https://docs.aws.amazon.com/lambda/latest/dg/services-efs.htmlWorkarounds
-
90% success Create an EFS mount target in the same VPC and subnets as the Lambda function, even if the EFS file system is in another account, by using cross-account mount target creation via AWS Resource Access Manager (RAM) sharing.
Create an EFS mount target in the same VPC and subnets as the Lambda function, even if the EFS file system is in another account, by using cross-account mount target creation via AWS Resource Access Manager (RAM) sharing.
-
75% success If cross-account is unavoidable, use an EFS replication or sync to a file system in the same account and VPC, or use an NFS proxy (e.g., an EC2 instance with a reverse proxy) in the Lambda VPC.
If cross-account is unavoidable, use an EFS replication or sync to a file system in the same account and VPC, or use an NFS proxy (e.g., an EC2 instance with a reverse proxy) in the Lambda VPC.
中文步骤
Create an EFS mount target in the same VPC and subnets as the Lambda function, even if the EFS file system is in another account, by using cross-account mount target creation via AWS Resource Access Manager (RAM) sharing.
If cross-account is unavoidable, use an EFS replication or sync to a file system in the same account and VPC, or use an NFS proxy (e.g., an EC2 instance with a reverse proxy) in the Lambda VPC.
Dead Ends
Common approaches that don't work:
-
80% fail
Security group rules are necessary but if the mount target is in a different VPC, Lambda's ENI cannot reach it even with open rules.
-
95% fail
VPC peering connects networks but Lambda's hyperplane ENI does not support cross-VPC EFS mounting; the mount target must be in the same VPC.
-
90% fail
Increasing Lambda timeout does not fix the fundamental connectivity issue; the mount attempt will still fail at the network layer.