{ "id": "cloud/aws-lambda-efs-mount-timeout", "signature": "Task timed out after 3.00 seconds while mounting EFS file system. Ensure that the VPC is configured correctly and the EFS file system is accessible.", "signature_zh": "挂载 EFS 文件系统时任务在 3.00 秒后超时。请确保 VPC 配置正确且 EFS 文件系统可访问。", "regex": "Task timed out.*while mounting EFS file system", "domain": "cloud", "category": "network_error", "subcategory": null, "root_cause": "Lambda function's VPC configuration (subnets, security groups) prevents it from reaching the EFS mount target, or the EFS file system is in a different availability zone than the Lambda's subnet.", "root_cause_type": "generic", "root_cause_zh": "Lambda 函数的 VPC 配置（子网、安全组）阻止其访问 EFS 挂载目标，或者 EFS 文件系统与 Lambda 子网位于不同的可用区。", "versions": [ { "version": "AWS Lambda runtime Python 3.12", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "AWS Lambda runtime Node.js 20", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "EFS Mount Target API 2015-02-01", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "Increasing Lambda timeout to 15 minutes doesn't fix the network connectivity issue; the mount attempt will still fail.", "fail_rate": 1.0, "condition": "", "sources": [] }, { "action": "", "why_fails": "Adding more subnets to the Lambda VPC config without ensuring they are in the same AZ as the EFS mount target may still fail.", "fail_rate": 0.75, "condition": "", "sources": [] }, { "action": "", "why_fails": "Using a public subnet without a NAT gateway for Lambda doesn't help because EFS mount targets require VPC internal connectivity.", "fail_rate": 0.9, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Ensure Lambda's VPC subnets are in the same availability zones as the EFS mount targets. Create mount targets in each AZ where Lambda subnets exist. If using a single mount target, ensure Lambda subnet is in that AZ.", "success_rate": 0.95, "how": "Ensure Lambda's VPC subnets are in the same availability zones as the EFS mount targets. Create mount targets in each AZ where Lambda subnets exist. If using a single mount target, ensure Lambda subnet is in that AZ.", "condition": "", "sources": [] }, { "action": "Check security group rules: EFS mount target security group must allow inbound NFS (port 2049) from the Lambda security group. Add rule: Type=NFS, Protocol=TCP, Port=2049, Source=.", "success_rate": 0.9, "how": "Check security group rules: EFS mount target security group must allow inbound NFS (port 2049) from the Lambda security group. Add rule: Type=NFS, Protocol=TCP, Port=2049, Source=.", "condition": "", "sources": [] }, { "action": "Verify EFS file system policy allows access from the Lambda's VPC. If policy is set to 'deny access from VPCs not in the same account', add an explicit allow for the Lambda's VPC.", "success_rate": 0.85, "how": "Verify EFS file system policy allows access from the Lambda's VPC. If policy is set to 'deny access from VPCs not in the same account', add an explicit allow for the Lambda's VPC.", "condition": "", "sources": [] } ], "workarounds_zh": [ "确保 Lambda 的 VPC 子网与 EFS 挂载目标位于相同的可用区。在 Lambda 子网所在的每个可用区创建挂载目标。如果只使用一个挂载目标，确保 Lambda 子网在该可用区。", "检查安全组规则：EFS 挂载目标安全组必须允许来自 Lambda 安全组的入站 NFS（端口 2049）。添加规则：类型=NFS，协议=TCP，端口=2049，来源=。", "验证 EFS 文件系统策略允许来自 Lambda VPC 的访问。如果策略设置为 '拒绝来自非同一账户 VPC 的访问'，则添加显式允许 Lambda VPC 的规则。" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://docs.aws.amazon.com/lambda/latest/dg/services-efs.html", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.86, "fix_success_rate": 0.88, "resolvable": "true", "first_seen": "2023-11-12", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }