Cannot remotely connect to my gamelift instances using ssm session manager

Question

Greetings,

I'm currently utilizing version 5.0.0 of the GameLift SDK alongside an Unreal Engine server on Linux, with instances ranging from c5.large to c4.xlarge in the eu-central-1 region. The instances are operational, allowing me to connect and engage in gameplay seamlessly.

However, I've encountered a challenge with remote connectivity to these instances. Despite ensuring the singular instance is running and configuring my fleets correctly, I'm unable to establish a remote connection. Here's a snippet of my role trust relationships:

This is my role trust relationships
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "gamelift.me-south-1.amazonaws.com",
                    "gamelift.amazonaws.com",
                    "gamelift.eu-south-1.amazonaws.com",
                    "gamelift.eu-central-1.amazonaws.com",
                    "gamelift.ap-east-1.amazonaws.com",
                    "gamelift.af-south-1.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Additionally, I've meticulously configured policies for KMS, SSM, AmazonSSMManagedInstanceCore and S3. These configurations have been validated through successful tests in the policy simulator. The same applies to my IAM user account, where all tests for KMS, SSM, and S3 have passed.

However, upon attempting to connect to the GameLift server instance remotely, I consistently encounter the following error:

Fetching data key failed: Unable to retrieve data key, Error when decrypting data key AccessDeniedException: User: arn:aws:sts::825289633156:assumed-role/DevAppStack-89ac5076-f8cf-43a5-a0a4-AppInstanceRole-cGjUsmttT01R/i-0e92ee535329af63b is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access
        status code: 400, request id: a96b7c2d-8d02-4a4c-abc7-b6af7f186611

This obstacle has currently halted progress, as I'm unable to utilize session manager or resort to traditional SSH access methods.

Could you kindly assist in resolving this issue and offer guidance on troubleshooting?

Second issue I'm experiencing is downloading the game session logs.
I set in my game server 
LogFilePath = /local/game/mygame/Saved/Logs/
LogFileName = gamelift_log.txt

And added all the logging logic in c++, but when I try to get_game_session_log_url, and upon getting the link, when unzip it I only get:
ReadMe.txt file saying
Game Server Logs
Error: Missing file/directory /local/game/mygame/Saved/Logs/gamelift_log.txt

Best regards,
Dino

Answer

Hey, 
Thanks for your answer.
I have installed Session Manager, and it is running properly.
When I enter the` session-manager-plugin` in the cmd, I get 
`The Session Manager plugin was installed successfully. Use the AWS CLI to start a session.`

Seems like the fleet instance itself is missing the credentials for the key management. But event if I set it in the policy which is connected to the role that the fleet is using, I still get the km:Decrypt error.

Here is the post with the same issue.
[https://repost.aws/questions/QUmaMDCi1QTsmT5yQ1cZLvvw/need-help-to-remotely-connect-to-a-gamelift-managed-ec2-linux-instance-using-sdk-5]()

I Hope Amazon can share their preferred setup for this issue. Documentation is very weak.

Answer

hey, not sure regarding the log issue. But for the session manager, have you also installed ssm plugin ? I was in a similar issue for a couple of days tried literally everything and found such advice on a totally unrelated topic.
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html

Cannot remotely connect to my gamelift instances using ssm session manager

Relevant content