Need help to remotely connect to a GameLift Managed EC2 Linux instance using SDK 5


I'm trying to remotely connect to a GameLift Managed EC2 Linux instance using SDK 5, without luck.

I'm getting the credentials with 'aws gamelift get-compute-access' and export them. When I try to run 'aws ssm start-session', I'm getting this error:

An error occurred (AccessDeniedException) when calling the TerminateSession operation: User: arn:aws:sts::1234567890:assumed-role/FleetServiceEC2Access-DataPlaneRole-FRA/FleetsService-GetComputeAccess-f93ef9c8-c9fc-4378-b26d-7f7cbdf7a is not authorized to perform: ssm:TerminateSession on resource: arn:aws:ssm:eu-central-1:1234567890:session/FleetsService-GetComputeAccess-f93ef9c8-c9fc-4378-b26d-7f7cbdf7a-03fcf6ec5f9dd7d20 because no identity-based policy allows the ssm:TerminateSession action

I've read the following pages:


  1. Do I need to add some IAM permissions to the GameLift Instance role ARN?
  2. Do I need to install the SSM agent to the EC2 instance?


질문됨 3달 전134회 조회
2개 답변
수락된 답변
답변함 2달 전
  • Hi Jackson, Thanks for the reply. I was missing the SessionManagerPlugin.

    The Session Manager plugin was installed successfully. Use the AWS CLI to start a session.
    aws --version
    aws-cli/2.13.14 Python/3.11.4 Linux/5.15.0-100-generic exe/x86_64.ubuntu.22 prompt/off

    After that, I got another error:

    Encountered error while initiating handshake. KMSEncryption failed on client with status 2 error: Failed to process action KMSEncryption: Error calling KMS GenerateDataKey API: NotFoundException: Alias arn:aws:kms:eu-central-1:1234567890:alias/SSMSessionEncryptionKey is not found.

    I've created a KMS alias: alias/SSMSessionEncryptionKey and configured the Session Manager to use it, as described here:

    However, now I'm getting:

    Encountered error while initiating handshake. Fetching data key failed: Unable to retrieve data key, Error when decrypting data key AccessDeniedException: User: arn:aws:sts::825289633156:assumed-role/DevAppStack-1d133b99-da12-4836-a965-AppInstanceRole-N0G7GcgiWe07/i-0b7c21c8d776aca29 is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because no identity-based policy allows the kms:Decrypt action
    	status code: 400, request id:

    Is there a complete documentation that I can follow in order to remotely connect to GameLift EC2 linux instances?


Did you manage to resolve this, I'm running into the same error, any help would be appreciated.

답변함 한 달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠