Communicate with other Amazon resources from your fleets - Amazon GameLift
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Communicate with other Amazon resources from your fleets

When you're creating a game server build for deployment on Amazon GameLift fleets, you might want the applications in your game build to communicate directly and securely with other Amazon resources that you own. Because Amazon GameLift manages your game hosting fleets, you must give Amazon GameLift limited access to these resources and services.

Some example scenarios include:

  • Use an Amazon CloudWatch agent to collect metrics, logs, and traces from managed EC2 fleets and Anywhere fleets

  • Send instance log data to Amazon CloudWatch Logs.

  • Obtain game files stored in an Amazon Simple Storage Service (Amazon S3) bucket.

  • Read and write game data (such as game modes or inventory) stored in an Amazon DynamoDB database or other data storage service.

  • Send signals directly to an instance using Amazon Simple Queue Service (Amazon SQS).

  • Access custom resources that are deployed and running on Amazon Elastic Compute Cloud (Amazon EC2).

Amazon GameLift supports these methods for establishing access:

Access Amazon resources with an IAM role

Use an IAM role to specify who can access your resources and set limits on that access. Trusted parties can "assume" a role and get temporary security credentials that authorize them to interact with the resources. When the parties make API requests related to the resource, they must include the credentials.

To set up access controlled by an IAM role, do the following tasks:

Create the IAM role

In this step, you create an IAM role, with a set of permissions to control access to your Amazon resources and a trust policy that gives Amazon GameLift rights to use the role's permissions.

For instructions on how to set up the IAM role , see Set up an IAM service role for Amazon GameLift. When creating the permissions policy, choose specific services, resources, and actions that your applications need to work with. As a best practice, limit the scope of the permissions as much as possible.

After you create the role, take note of the role's Amazon Resource Name (ARN). You need the role ARN during fleet creation.

Modify applications to acquire credentials

In this step, you configure your applications to acquire security credentials for the IAM role and use them when interacting with your Amazon resources . See the following table to determine how to modify your applications based on (1) the type of application, and (2) the server SDK version your game uses to communicate with Amazon GameLift.

Game server applications Other applications

Using server SDK version 4 or earlier

Call Amazon Security Token Service (Amazon STS) AssumeRole with the role ARN.

Call Amazon Security Token Service (Amazon STS) AssumeRole with the role ARN.

Add code to your applications to assume the IAM role and get credentials to interact with your Amazon resources. Any application that runs on an Amazon GameLift fleet instance with server SDK 4 or earlier can assume the IAM role.

In the application code, before accessing an Amazon resource, the application must call the Amazon Security Token Service (Amazon STS) AssumeRole API operation and specify the role ARN. This operation returns a set of temporary credentials that authorizes the application to access to the Amazon resource. For more information, see Using temporary credentials with Amazon resources in the IAM User Guide.

Associate a fleet with the IAM role

After you've created the IAM role and updated the applications in your game server build to get and use the access credentials, you can deploy a fleet. When you configure the new fleet, set the following parameters:

You must set these values when you create the fleet. They can't be updated later.

Access Amazon resources with VPC peering

You can use Amazon Virtual Private Cloud (Amazon VPC) peering to communicate between applications running on a Amazon GameLift instance and another Amazon resource. A VPC is a virtual private network that you define that includes a set of resources managed through your Amazon Web Services account. Each Amazon GameLift fleet has its own VPC. With VPC peering, you can establish a direct network connection between the VPC for your fleet and for your other Amazon resources.

Amazon GameLift streamlines the process of setting up VPC peering connections for your game servers. It handles peering requests, updates route tables, and configures the connections as required. For instructions about how to set up VPC peering for your game servers, see VPC peering for Amazon GameLift.