Gamelift Fleet and DynamoDb account id issue with DescribeTable

0

I have been using Gamelift with a Unity build for my game logic for a while. I have also been using Lambda and DynamoDB together successfully for a while as well. I am now trying to save match results directly to a dynamo table from instances on my Gamelift fleet and am getting very strange results. I use Cloudformation to deploy all my matchmaking configurations, dynamo tables, and also lambda functions that the user game client connects to. Since my gamelift servers are a trusted entity, I am trying to give access to my fleet for full access to DynamoDB. My gamelift server build is using AWSSDKDynamoDBv2 version 3.3.0.0

I have created an IAM role that has a Policy and AssumeRolePolicyDocument that should give access to my fleet to access Dynamo. This appears to be attached to the fleet successfully and everything looks correct in the AWS console. I am able to read from the table and successfully get items from the table, but when I try to save items I get an error: WebException: The remote server returned an error: (400) Bad Request.

and I see this in the stacktrace (i blanked out the account info excuse the asterisks): Rethrow as AmazonDynamoDBException: User: arn:aws:sts::7**1:assumed-role/DevAppStack--AppInstanceRole-/i-************* is not authorized to perform: dynamodb:DescribeTable on resource: arn:aws:dynamodb:us-west-2:7**********1:table/ClosedBetaPlayerData because no identity-based policy allows the dynamodb:DescribeTable action

On the surface it looks like a role issue, but what is weird about this is that the account id in the arn is not the account ID of my AWS account. I have no idea what this account ID is and do not understand why my gamelift server has the assumed-role of this unknown account ID. I have already spoken to someone with account support and verified that there is no connection between the id I see here and my aws account.

Has anyone else dealt with something similar to this? What am I missing? Thanks in advance for the help!

1 Answer
0

https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-sdk-server-resources.html

Have a quick read over that doc.

If you create the DynamoDB client using the default credentials chain, you'll end up using GameLift's instance profile credentials, which won't have any permissions to any services in your account. If you're using GameLift Server SDK 4.0 or lower, you can assume the InstanceRoleArn you provided in CreateFleet directly in code. If you're using Server SDK 5.0 or higher, you'll need to call GetFleetRoleCredentials and use the returned credentials (your InstanceRoleArn) when creating and making calls to the DynamoDB client. If the permissions on your provided Role are correct, that should do the trick!

AWS
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions