By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Need help to remotely connect to a GameLift Managed EC2 Linux instance using SDK 5

0

I'm trying to remotely connect to a GameLift Managed EC2 Linux instance using SDK 5, without luck.

I'm getting the credentials with 'aws gamelift get-compute-access' and export them. When I try to run 'aws ssm start-session', I'm getting this error:

An error occurred (AccessDeniedException) when calling the TerminateSession operation: User: arn:aws:sts::1234567890:assumed-role/FleetServiceEC2Access-DataPlaneRole-FRA/FleetsService-GetComputeAccess-f93ef9c8-c9fc-4378-b26d-7f7cbdf7a is not authorized to perform: ssm:TerminateSession on resource: arn:aws:ssm:eu-central-1:1234567890:session/FleetsService-GetComputeAccess-f93ef9c8-c9fc-4378-b26d-7f7cbdf7a-03fcf6ec5f9dd7d20 because no identity-based policy allows the ssm:TerminateSession action

I've read the following pages: https://docs.aws.amazon.com/gamelift/latest/developerguide/fleets-remote-access.html#fleets-remote-access-connect-5

https://repost.aws/questions/QU_fx149ibQiaZZEEfaK2rBQ/how-to-remotely-login-to-fleet-instance-using-server-sdk-5-outdated-documentation

https://repost.aws/questions/QU2ijZp7aLQMarRTr8TwnHFg/rdp-to-ec2-instance-with-ssm

Questions:

  1. Do I need to add some IAM permissions to the GameLift Instance role ARN?
  2. Do I need to install the SSM agent to the EC2 instance?

Thanks.

Topics
Game Tech
Tags
Amazon GameLift
Language
English
Lucian
asked a month ago106 views
2 Answers
1
Accepted Answer

Hi Lucian,

Have you installed the SessionManagerPlugin on your local AWS CLI? https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html

This exception can be misleadingly caused when missing that plugin: https://repost.aws/questions/QUNltQgbVpTtGkR1dZ3mJcTA/error-user-cannot-terminate-their-own-ssm-session-when-trying-to-use-scp#ANyH38n5UqT2SxK_o_i4_g9Q

AWS
Jackson_AWS
answered a month ago
  • Lucian
    a month ago

    Hi Jackson, Thanks for the reply. I was missing the SessionManagerPlugin.

    session-manager-plugin
The Session Manager plugin was installed successfully. Use the AWS CLI to start a session.
aws --version
aws-cli/2.13.14 Python/3.11.4 Linux/5.15.0-100-generic exe/x86_64.ubuntu.22 prompt/off

    After that, I got another error:

    ----------ERROR-------
Encountered error while initiating handshake. KMSEncryption failed on client with status 2 error: Failed to process action KMSEncryption: Error calling KMS GenerateDataKey API: NotFoundException: Alias arn:aws:kms:eu-central-1:1234567890:alias/SSMSessionEncryptionKey is not found.

    I've created a KMS alias: alias/SSMSessionEncryptionKey and configured the Session Manager to use it, as described here: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-preferences-enable-encryption.html

    However, now I'm getting:

    Encountered error while initiating handshake. Fetching data key failed: Unable to retrieve data key, Error when decrypting data key AccessDeniedException: User: arn:aws:sts::825289633156:assumed-role/DevAppStack-1d133b99-da12-4836-a965-AppInstanceRole-N0G7GcgiWe07/i-0b7c21c8d776aca29 is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because no identity-based policy allows the kms:Decrypt action
	status code: 400, request id:

    Is there a complete documentation that I can follow in order to remotely connect to GameLift EC2 linux instances?

0

Did you manage to resolve this, I'm running into the same error, any help would be appreciated.

Dino
answered 10 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content