failed to provision volume with StorageClass “storage-class-name”: rpc error: code = Unauthenticated desc = Access Denied

Dipesh Majumdar
1 min readDec 5, 2023

failed to provision volume with StorageClass “storage-class-name”: rpc error: code = Unauthenticated desc = Access Denied

This error comes when trying to create a pvc with efs csi driver. The problem here is that the policy [efsCsiDriverPolicy] is not correct. The correct json for the policy should be this:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowDescribe",
"Effect": "Allow",
"Action": [
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"ec2:DescribeAvailabilityZones"
],
"Resource": "*"
},
{
"Sid": "AllowCreateAccessPoint",
"Effect": "Allow",
"Action": [
"elasticfilesystem:CreateAccessPoint"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/efs.csi.aws.com/cluster": "false"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": "efs.csi.aws.com/cluster"
}
}
},
{
"Sid": "AllowTagNewAccessPoints",
"Effect": "Allow",
"Action": [
"elasticfilesystem:TagResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"elasticfilesystem:CreateAction": "CreateAccessPoint"
},
"Null": {
"aws:RequestTag/efs.csi.aws.com/cluster": "false"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": "efs.csi.aws.com/cluster"
}
}
},
{
"Sid": "AllowDeleteAccessPoint",
"Effect": "Allow",
"Action": "elasticfilesystem:DeleteAccessPoint",
"Resource": "*",
"Condition": {
"Null": {
"aws:ResourceTag/efs.csi.aws.com/cluster": "false"
}
}
}
]
}

--

--