Need help to remotely connect to a GameLift Managed EC2 Linux instance using SDK 5


I'm trying to remotely connect to a GameLift Managed EC2 Linux instance using SDK 5, without luck.

I'm getting the credentials with 'aws gamelift get-compute-access' and export them. When I try to run 'aws ssm start-session', I'm getting this error:

An error occurred (AccessDeniedException) when calling the TerminateSession operation: User: arn:aws:sts::1234567890:assumed-role/FleetServiceEC2Access-DataPlaneRole-FRA/FleetsService-GetComputeAccess-f93ef9c8-c9fc-4378-b26d-7f7cbdf7a is not authorized to perform: ssm:TerminateSession on resource: arn:aws:ssm:eu-central-1:1234567890:session/FleetsService-GetComputeAccess-f93ef9c8-c9fc-4378-b26d-7f7cbdf7a-03fcf6ec5f9dd7d20 because no identity-based policy allows the ssm:TerminateSession action

I've read the following pages:


  1. Do I need to add some IAM permissions to the GameLift Instance role ARN?
  2. Do I need to install the SSM agent to the EC2 instance?


posta 2 mesi fa131 visualizzazioni
2 Risposte
Risposta accettata
con risposta 2 mesi fa
  • Hi Jackson, Thanks for the reply. I was missing the SessionManagerPlugin.

    The Session Manager plugin was installed successfully. Use the AWS CLI to start a session.
    aws --version
    aws-cli/2.13.14 Python/3.11.4 Linux/5.15.0-100-generic exe/x86_64.ubuntu.22 prompt/off

    After that, I got another error:

    Encountered error while initiating handshake. KMSEncryption failed on client with status 2 error: Failed to process action KMSEncryption: Error calling KMS GenerateDataKey API: NotFoundException: Alias arn:aws:kms:eu-central-1:1234567890:alias/SSMSessionEncryptionKey is not found.

    I've created a KMS alias: alias/SSMSessionEncryptionKey and configured the Session Manager to use it, as described here:

    However, now I'm getting:

    Encountered error while initiating handshake. Fetching data key failed: Unable to retrieve data key, Error when decrypting data key AccessDeniedException: User: arn:aws:sts::825289633156:assumed-role/DevAppStack-1d133b99-da12-4836-a965-AppInstanceRole-N0G7GcgiWe07/i-0b7c21c8d776aca29 is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because no identity-based policy allows the kms:Decrypt action
    	status code: 400, request id:

    Is there a complete documentation that I can follow in order to remotely connect to GameLift EC2 linux instances?


Did you manage to resolve this, I'm running into the same error, any help would be appreciated.

con risposta un mese fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande