Target Not Connected on gamelift fleet instance, can't use guides because they are meant for EC2 not Gamelift

0

I'm trying to connect to my instance on Gamelift Fleet using

aws ssm start-session --target i-instanceidhere --region eu-central-1

AWS CLI gives error: "Target not Connected". The documentation for Target Not Connected error lists 20 possible issues, most of which are meant not for gamelift instances but for EC2 instances, which you can access with various tools like fleet manager. I can't see my instances in fleet manager and I can't access their SM version data or other properties that are available on regular EC2 instances, because they are not regular EC2 instances. They are gamelift isntances. So I'm unable to connect to the instance and the error message is way too generic to fix it or verify what is the issue in the first place: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-troubleshooting.html#ssh-target-not-connected

I just want to see the gameserver logs on the instance like was possible to do with e.g WinSCP using the old SDK (v4). Since SDK 5 it's not possible and now I have to use some tools and guides that were not designed with gamelift in mind and are simply not applicable. I've spent so much time trying to see just a log file of my server build on the fleet.

  1. The logs files are supposed to appear on S3 but they don't.
  2. I've set up cloudwatch agent in same way that I used for 2 other projects where it worked but it doesn't work any more. Not a single cloudwatch entry appears. I have set up the role and the cloudwatch agent json and the install.sh script and it just doesn't appear in cloudwatch.
  3. I used to be able to see the logs on WinSCP when connecting to the instance but it's not meant to work any more since Gamelift SDK 5.+ does not provide me with information required to access the instance and instead requires that I use Session Manager with just says "Target not connected" and the guides are meant for EC2 fleets and use views and methods that can't be used on Gamelift.

The time it takes to see a simple log file is more than it takes to write your own goddamn orchestration from scratch. Half of the time you need to first log into the instance in order to verify the issue of Session Manager but the issue stops you from logging into the instance in the first place.

asked a month ago54 views
2 Answers
2

Hello.

IAM settings are slightly different if you are using GameLift SDKv5.
As described in the document below, in order to output logs from GameLift fleet to CloudWatch Logs with CloudWatch Agent, you need to configure something called "shared credentials".
I think the GameLift fleet is failing to assume the appropriate IAM role, resulting in a failure to connect via Session Manager.
https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-sdk-server-resources.html#gamelift-sdk-server-resources-roles

For non-server applications that are deployed with game server builds using server SDK 5.x, add code to get and use credentials stored in a shared file. Amazon GameLift generates a credentials profile for each fleet instance. The credentials are available for use by all applications on the instance. > Amazon GameLift continually refreshes the temporary credentials.

You must configure a fleet to generate the shared credentials file on fleet creation.

In each application that needs to use the shared credentials file, specify the file location and profile name, as follows:

Windows:
[credentials]
shared_credential_profile= "FleetRoleCredentials"
shared_credential_file= "C:\Credentials\credentials"

Linux:
[credentials]
shared_credential_profile= "FleetRoleCredentials"
shared_credential_file= "/local/credentials/credentials"
Example: Set up a CloudWatch agent to collect metrics for Amazon GameLift fleet instances

If you want to use an Amazon CloudWatch agent to collect metrics, logs, and traces from your Amazon GameLift fleets, use this method to authorize the agent to emit the data to your account. In this scenario, take the following steps:

  1. Retrieve or write the CloudWatch agent config.json file.
  2. Update the common-config.toml file for the agent to identify the credentials file name and profile name, as described above.
  3. Set up your game server build install script to install and start the CloudWatch agent.
profile picture
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
-1

I understand your frustration with trying to access logs for your GameLift fleet instances. The situation you're describing highlights some of the unique challenges when working with GameLift compared to standard EC2 instances. Let me address your concerns and provide some potential solutions:

  1. Regarding logs not appearing in S3: This could be due to incorrect permissions or configuration. Double-check that your GameLift fleet role has the necessary permissions to write to the S3 bucket, and that the S3 logging is correctly set up in your fleet configuration.

  2. For CloudWatch logs not appearing: Ensure that the IAM role attached to your GameLift fleet has the required permissions for CloudWatch. Also, verify that the CloudWatch agent configuration is correctly set up for GameLift instances, as there might be slight differences compared to standard EC2 instances.

  3. The "Target not connected" error with Session Manager could be due to several reasons specific to GameLift:

    • Ensure that your IAM user or role has the necessary permissions to use Systems Manager with GameLift instances.
    • Verify that the VPC where your GameLift fleet is deployed has the required VPC endpoints for Systems Manager.
    • Check if the security group associated with your GameLift instances allows the necessary inbound traffic for Systems Manager.

As an alternative approach, you might want to consider using the GameLift API, specifically the GetInstanceAccess operation. This can provide you with credentials to connect to a specific instance in your fleet. You could then use these credentials to establish an SSH connection and access your logs directly.

Another option is to use GameLift's built-in log routing feature to send your game server logs to CloudWatch Logs automatically. This can be set up when you create or update your fleet, and it doesn't require additional configuration on the instances themselves.

If you're still unable to access your logs, you may want to contact AWS Support for GameLift-specific troubleshooting, as they can provide more tailored assistance for your particular setup.

Remember, while GameLift uses EC2 instances under the hood, the management and access patterns are different, which is why standard EC2 troubleshooting guides may not always apply directly.
Sources
DescribeInstances - Amazon GameLift
Steps to connect GameLift fleets and user-managed VPCs with VPC peering | AWS re:Post

profile picture
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions