By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Need help to remotely connect to a GameLift Managed EC2 Linux instance using SDK 5

0

I'm trying to remotely connect to a GameLift Managed EC2 Linux instance using SDK 5, without luck.

I'm getting the credentials with 'aws gamelift get-compute-access' and export them. When I try to run 'aws ssm start-session', I'm getting this error:

An error occurred (AccessDeniedException) when calling the TerminateSession operation: User: arn:aws:sts::1234567890:assumed-role/FleetServiceEC2Access-DataPlaneRole-FRA/FleetsService-GetComputeAccess-f93ef9c8-c9fc-4378-b26d-7f7cbdf7a is not authorized to perform: ssm:TerminateSession on resource: arn:aws:ssm:eu-central-1:1234567890:session/FleetsService-GetComputeAccess-f93ef9c8-c9fc-4378-b26d-7f7cbdf7a-03fcf6ec5f9dd7d20 because no identity-based policy allows the ssm:TerminateSession action

I've read the following pages: https://docs.aws.amazon.com/gamelift/latest/developerguide/fleets-remote-access.html#fleets-remote-access-connect-5

https://repost.aws/questions/QU_fx149ibQiaZZEEfaK2rBQ/how-to-remotely-login-to-fleet-instance-using-server-sdk-5-outdated-documentation

https://repost.aws/questions/QU2ijZp7aLQMarRTr8TwnHFg/rdp-to-ec2-instance-with-ssm

Questions:

  1. Do I need to add some IAM permissions to the GameLift Instance role ARN?
  2. Do I need to install the SSM agent to the EC2 instance?

Thanks.

Topics
Game Tech
Tags
Amazon GameLift Servers
Language
English
Lucian
asked a year ago348 views
2 Answers
1
Accepted Answer

Hi Lucian,

Have you installed the SessionManagerPlugin on your local AWS CLI? https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html

This exception can be misleadingly caused when missing that plugin: https://repost.aws/questions/QUNltQgbVpTtGkR1dZ3mJcTA/error-user-cannot-terminate-their-own-ssm-session-when-trying-to-use-scp#ANyH38n5UqT2SxK_o_i4_g9Q

AWS
Jackson_AWS
answered a year ago
  • Lucian
    a year ago

    Hi Jackson, Thanks for the reply. I was missing the SessionManagerPlugin.

    session-manager-plugin
The Session Manager plugin was installed successfully. Use the AWS CLI to start a session.
aws --version
aws-cli/2.13.14 Python/3.11.4 Linux/5.15.0-100-generic exe/x86_64.ubuntu.22 prompt/off

    After that, I got another error:

    ----------ERROR-------
Encountered error while initiating handshake. KMSEncryption failed on client with status 2 error: Failed to process action KMSEncryption: Error calling KMS GenerateDataKey API: NotFoundException: Alias arn:aws:kms:eu-central-1:1234567890:alias/SSMSessionEncryptionKey is not found.

    I've created a KMS alias: alias/SSMSessionEncryptionKey and configured the Session Manager to use it, as described here: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-preferences-enable-encryption.html

    However, now I'm getting:

    Encountered error while initiating handshake. Fetching data key failed: Unable to retrieve data key, Error when decrypting data key AccessDeniedException: User: arn:aws:sts::825289633156:assumed-role/DevAppStack-1d133b99-da12-4836-a965-AppInstanceRole-N0G7GcgiWe07/i-0b7c21c8d776aca29 is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because no identity-based policy allows the kms:Decrypt action
	status code: 400, request id:

    Is there a complete documentation that I can follow in order to remotely connect to GameLift EC2 linux instances?

0

Did you manage to resolve this, I'm running into the same error, any help would be appreciated.

Dino
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content