Communicate with other AWS resources from your fleets - Amazon GameLift

Communicate with other AWS resources from your fleets

This topic describes how to set up your game server software to communicate directly and securely with other AWS resources. You can use this connection to do tasks such as the following:

  • Send instance log data to Amazon CloudWatch Logs.

  • Capture Amazon CloudWatch metrics for better visibility into instance performance.

  • Obtain sensitive information (such as passwords) stored remotely in an Amazon Simple Storage Service (Amazon S3) bucket.

  • Read and write game data (such as game modes or inventory) stored in an Amazon DynamoDB database or other data storage service.

  • Send signals directly to an instance using Amazon Simple Queue Service (Amazon SQS).

  • Access custom resources that are deployed and running on Amazon Elastic Compute Cloud (Amazon EC2).

For your hosted software to interact with AWS resources that you own, you can give limited access permissions to Amazon GameLift. To establish this access, use either of the following methods:

Access AWS resources using an IAM role

For your game server or other applications to access your AWS resources, complete the following steps.

To set up access
  1. Set up an IAM service role for Amazon GameLift. For instructions about how to set up the AWS Identity and Access Management (IAM) service role for Amazon GameLift, see Set up an IAM service role for Amazon GameLift. After you create the role, copy the role's Amazon Resource Name (ARN). You use the ARN during fleet creation.

  2. Associate the service role with a Amazon GameLift fleet. During fleet creation, provide the service role ARN to the fleet. Applications that run on any instance in the fleet can then assume the role and acquire the necessary credentials for access. For instructions about how to create a fleet, see Create a Amazon GameLift managed fleet.

  3. Add code to your game server to assume the service role. Any game server running on a Amazon GameLift instance can assume the associated IAM service role. This includes game servers and other executables, such as install scripts and daemons. For more information about adding code to assume a role, see GetFleetRoleCredentials (C++) (C#) (Unreal).

    In the application code, before accessing an AWS resource, the application must first assume the service role. To assume the role, the application must call the AWS Security Token Service (AWS STS) AssumeRole API operation and specify the service role ARN. This operation returns a set of temporary credentials that provide the application with access to the AWS resource. For more information, see Using temporary credentials with AWS resources in the IAM User Guide.

Access AWS resources with VPC peering

You can use Amazon Virtual Private Cloud (Amazon VPC) peering to communicate between applications running on a Amazon GameLift instance and another AWS resource. A VPC is a virtual private network that you define that includes a set of resources managed through your AWS account. Each Amazon GameLift fleet has its own VPC. With VPC peering, you can establish a direct network connection between the VPC for your fleet and for your other AWS resources.

Amazon GameLift streamlines the process of setting up VPC peering connections for your game servers. It handles peering requests, updates route tables, and configures the connections as required. For instructions about how to set up VPC peering for your game servers, see VPC peering for Amazon GameLift.