When you create a NFS or SMB file share using AWS file gateway, sometimes the file share may go into Unavailable status. To use the file share, you would need the file share in Available status. In this post, I will describe some scenarios and troubleshooting steps to resolve when file share is in Unavailable status.
- Misconfigured file share IAM role
- Misconfigured permissions in case of cross account setup
- Restrictive permissions on S3 bucket policy
- Issues with network connectivity to S3 endpoint
- Incorrect selection of region when creating the file share
Misconfigured file share IAM role :
File gateway file share uses an IAM role with storagegateway.amazonaws.com service in its trust relationship to access specified S3 bucket. Verify and ensure that trust relationship in the file share IAM role has Storage Gateway service (storagegateway.amazonaws.com).
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "storagegateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}In addition to trust policy, verify and confirm the file share IAM role has the following permissions.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetAccelerateConfiguration",
"s3:GetBucketLocation",
"s3:GetBucketVersioning",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::TestBucket",
"Effect": "Allow"
},
{
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::TestBucket/*",
"Effect": "Allow"
}
]
}Misconfigured permissions in case of cross account setup :
When you use two AWS accounts, for example Account A for file gateway and use Account B for S3 bucket, you should setup correct permissions. In addition to the above file share IAM role in AWS Account A, you need to grant the below permissions in the S3 bucket policy to the file share IAM role.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:role/service-role/<Role-Name>"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetAccelerateConfiguration",
"s3:GetBucketLocation",
"s3:GetBucketVersioning",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::AccountB-Bucketname",
"arn:aws:s3:::AccountB-Bucketname/*"
]
}]
}Restrictive permissions on S3 bucket policy :
If you are using S3 bucket policy that allows access to only specific IAM role, IAM users as below. In that case, you need to grant permissions to the file share IAM role in the S3 bucket policy. You can get the file share IAM role ID using
$ aws iam get-role <role-name>{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::MyExampleBucket",
"arn:aws:s3:::MyExampleBucket/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AROAEXAMPLEID:*",
"AIDAEXAMPLEID",
"111111111111"
]
}
}
}]
}Issues with network connectivity to S3 endpoint :
File gateway file share should have network connectivity to S3 endpoints to be in Available status, otherwise file share can go to Unavailable status. If your gateway is activated using public endpoints, verify and confirm that your gateway can connect to s3.amazonaws.com and s3.<region>.amazonaws.com endpoints. You can verify the connectivity and SSL certificate from the gateway local console, using command prompt. If below check fails, verify firewall rules and allow list S3 for connectivity and without any SSL inspection.
Command: ncport -d s3.us-west-2.amazonaws.com -p 443
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 52.218.250.208:443.
Ncat: 0 bytes sent, 0 bytes received in 0.01 seconds.Command: sslcheck -d s3.us-west-2.amazonaws.com -p 443
subject=/CN=*.s3-us-west-2.amazonaws.com
issuer=/C=US/O=Amazon/OU=Server CA 1B/CN=AmazonIf your gateway is activated to VPC endpoint and you are using S3 Interface VPC endpoint to connect to S3, verify and confirm that your gateway can connect to the VPC endpoint elastic network interface. If not, check the S3 interface VPC endpoint security group and allow port 443 from your gateway IP address.
Command: ncport -d 172.31.30.150 -p 443
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 52.218.250.208:443.
Ncat: 0 bytes sent, 0 bytes received in 0.01 seconds.Command: sslcheck -d 172.31.30.150 -p 443
subject=/CN=*.s3-us-west-2.amazonaws.com
issuer=/C=US/O=Amazon/OU=Server CA 1B/CN=AmazonIf you are using S3 Gateway VPC endpoint for your gateway to communicate to S3, verify the subnet of the EC2 instance of the gateway (or some cases a HTTP proxy on EC2) has a route table to S3 prefix list. In the route table associated to the instance subnet, you should see the prefix_list_id destination for gateway_endpoint_id as target.
Destination Target
prefix_list_id gateway_endpoint_id
You would also need to allow port 443 outbound in the instance security group rules to above S3 prefix list IP address range. You can get the IP addresses for the prefix lists from here under VPC in AWS management console. Alternatively, you can use the following CLI command.
aws ec2 describe-prefix-lists --prefix-list-ids <prefix-list-id>You would also need to ensure that there is no restriction for the S3 bucket in the Gateway VPC endpoint policy. By default the VPC endpoint policy allows all actions for all resources. If you are modifying it, ensure that the access is granted to the S3 bucket. For more information on VPC endpoint policies, check here.
Incorrect selection of region when creating the file share :
When you are creating the file share, you would need to specify the region of the Amazon S3 bucket. If you specify a different region other than the region where the S3 bucket is in, you would see file share in unavailable status. For example, if your S3 bucket is in us-west-2 and you specify region as us-east-1 in creating the file share either in AWS management console or AWS CLI, the file share would go in unavailable status. You have to remove the file share and create a new file share choosing the correct region of the S3 bucket.
Let us know in the comments if you have any questions. Thank you.