Communicate with other Amazon resources from your fleets
When you're creating a game server build for deployment on Amazon GameLift fleets, you might want the applications in your game build to communicate directly and securely with other Amazon resources that you own. Because Amazon GameLift manages your game hosting fleets, you must give Amazon GameLift limited access to these resources and services.
Some example scenarios include:
-
Use an Amazon CloudWatch agent to collect metrics, logs, and traces from managed EC2 fleets and Anywhere fleets
-
Send instance log data to Amazon CloudWatch Logs.
-
Obtain game files stored in an Amazon Simple Storage Service (Amazon S3) bucket.
-
Read and write game data (such as game modes or inventory) stored in an Amazon DynamoDB database or other data storage service.
-
Send signals directly to an instance using Amazon Simple Queue Service (Amazon SQS).
-
Access custom resources that are deployed and running on Amazon Elastic Compute Cloud (Amazon EC2).
Amazon GameLift supports these methods for establishing access:
Access Amazon resources with an IAM role
Use an IAM role to specify who can access your resources and set limits on that access. Trusted parties can "assume" a role and get temporary security credentials that authorize them to interact with the resources. When the parties make API requests related to the resource, they must include the credentials.
To set up access controlled by an IAM role, do the following tasks:
Create the IAM role
In this step, you create an IAM role, with a set of permissions to control access to your Amazon resources and a trust policy that gives Amazon GameLift rights to use the role's permissions.
For instructions on how to set up the IAM role , see Set up an IAM service role for Amazon GameLift. When creating the permissions policy, choose specific services, resources, and actions that your applications need to work with. As a best practice, limit the scope of the permissions as much as possible.
After you create the role, take note of the role's Amazon Resource Name (ARN). You need the role ARN during fleet creation.
Modify applications to acquire credentials
In this step, you configure your applications to acquire security credentials for the IAM role and use them when interacting with your Amazon resources . See the following table to determine how to modify your applications based on (1) the type of application, and (2) the server SDK version your game uses to communicate with Amazon GameLift.
| Game server applications | Other applications | |
|---|---|---|
|
Using server SDK version 4 or earlier |
Call Amazon Security Token Service (Amazon STS) |
Call Amazon Security Token Service (Amazon STS) |
Add code to your applications to assume the IAM role and get credentials to interact with your Amazon resources. Any application that runs on an Amazon GameLift fleet instance with server SDK 4 or earlier can assume the IAM role.
In the application code, before accessing an Amazon resource, the
application must call the Amazon Security Token Service (Amazon STS) AssumeRole API operation and specify the role ARN. This
operation returns a set of temporary credentials that authorizes the
application to access to the Amazon resource. For more information, see
Using
temporary credentials with Amazon resources in the
IAM User Guide.
Associate a fleet with the IAM role
After you've created the IAM role and updated the applications in your game server build to get and use the access credentials, you can deploy a fleet. When you configure the new fleet, set the following parameters:
InstanceRoleArn – Set this parameter to the ARN of the IAM role.
InstanceRoleCredentialsProvider – To prompt Amazon GameLift to generate a shared credentials file for each fleet instance, set this parameter to
SHARED_CREDENTIAL_FILE.
You must set these values when you create the fleet. They can't be updated later.
Access Amazon resources with VPC peering
You can use Amazon Virtual Private Cloud (Amazon VPC) peering to communicate between applications running on a Amazon GameLift instance and another Amazon resource. A VPC is a virtual private network that you define that includes a set of resources managed through your Amazon Web Services account. Each Amazon GameLift fleet has its own VPC. With VPC peering, you can establish a direct network connection between the VPC for your fleet and for your other Amazon resources.
Amazon GameLift streamlines the process of setting up VPC peering connections for your game servers. It handles peering requests, updates route tables, and configures the connections as required. For instructions about how to set up VPC peering for your game servers, see VPC peering for Amazon GameLift.