search

1Password / connect

Access your 1Password secrets using a 1Password Connect Server
https://developer.1password.com/docs/connect
146 stars 28 forks source link

ECS / EFS - User ID Issues #70

Open GadgetGeekNI opened 1 year ago

GadgetGeekNI commented 1 year ago

Hi folks,

I'm having a few issues trying to deploy out a test environment using ECS and EFS as my data volume.

I am getting user permission errors when, I believe, the container is trying to read the mounted EFS volume.

When the containers are started, I get the following;

Error: Server: (failed to setupServer), Wrapped: (failed to NewController), Can't continue. We can't safely access "/mnt/opc/data/.op/data/files" because it's not owned by the current user. Change the owner or logged in user and try again.

Doing this with Terraform, or attempting to (!), here is my EFS Access Point & ECS Config, I assume the error will jump out at someone between these 2 as I feel like it's to do with the user id given to the EFS system but I am unsure what to set it to in order to get it working. I can't exec to the container because it tears down again immediately when this error appears.

resource "aws_efs_access_point" "opc_user_data_efs_access_point" {
  file_system_id = aws_efs_file_system.opc_ecs_volume_efs_file_system.id
  posix_user {
    gid = 1000
    uid = 1000
  }
  root_directory {
    path = local.efs_root_access_point_path
    creation_info {
      owner_gid   = 1000
      owner_uid   = 1000
      permissions = 775
    }
  }
  tags = merge({ Name = "${local.efs_name}-access-point" })
}

resource "aws_ecs_task_definition" "opc_api_ecs_task_definition" {
  family                   = "opc-api-task-def"
  ###OtherConfig
  container_definitions = jsonencode([{
    name  = "opc-api"
    image = "1password/connect-api:latest"
    portMappings = [
      {
        containerPort = 8080
        hostPort      = 8080
      }
    ]
    environment = [
      {
        name  = "OP_SESSION"
        value = var.op_base64_credentials
      },
      {
        name = "XDG_DATA_HOME"
        value = "/mnt/opc/data"
      }
    ]
    command = []
    mountPoints = [
      {
        containerPath = "/mnt/opc/data"
        sourceVolume  = "connect-data"
      }
    ]
  }])
  volume {
    name = "connect-data"
    efs_volume_configuration {
      file_system_id     = aws_efs_file_system.opc_ecs_volume_efs_file_system.id
      root_directory     = "/"
      transit_encryption = "ENABLED"
      authorization_config {
        iam             = "ENABLED"
        access_point_id = aws_efs_access_point.opc_user_data_efs_access_point.id
      }
    }
  }
  tags = merge({ Name = "opc-connect-service-task-def" })
}
jpcoenen commented 11 months ago

Hey @GadgetGeekNI! Sorry for the late reply here. Could you try using uid and gid 999 instead of 1000. That's the user and group ID that are used by the Connect Docker image.

Let me know if that works!