The GameLift Fleet instance does not have permissions on logs

Question

I want to view the logs for my GameLift fleet in the CloudWatch LogGroup.
But the GameLift Instance does not have permissions to upload logs on CloudWatch LogGroup.

I set the Instance role of GameLift Fleet like this.

![Enter image description here](/media/postImages/original/IMnryJCtM2SbKhKBqp7XVOCA)

This role has a AWS manged policy named CloudWatchAgentServerPolicy and the policy and trust relationship is written like this.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "ec2.amazonaws.com",
                    "gamelift.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

When I tried to create a CloudWatch LogGroup on my GameLift Fleet instance, I got the following permission error.

![Enter image description here](/media/postImages/original/IMeD-WTDOAQoyG7miTXn8CUg)

It seems like GameLift Fleet instance does not have permission to create CloudWatch LogGroup.

I don't know how to give that permission.

Answer

Looking at the error it looks like you are using a different IAM role with AssumeRole.  
It is said that there is no CreateLogGroup in the IAM role "User: arn:aws:sts::783~~~", so please try adding permissions to this IAM role.

The GameLift Fleet instance does not have permissions on logs

関連するコンテンツ