Remote access through the console Remote access with the AWS CLI Connect to an instance (server SDK 5)Connect to an instance (server SDK 4.x or earlier)View files on remote instances

Connect to fleet instances

You can remotely connect to any active Amazon GameLift Servers managed EC2 or managed container fleet instance to troubleshoot game server issues, inspect logs, and debug runtime behavior. Connect using the Amazon GameLift Servers console or the AWS CLI.

Remote access through the console

You can connect to fleet instances directly from the Amazon GameLift Servers console using Amazon EC2 Systems Manager (SSM). This method provides secure access without requiring additional setup or credential management. For container fleets, after connecting to the instance, you can access individual containers running on it. For more information, see Connect to containers.

In the Amazon GameLift Servers console, choose Managed EC2 or Managed containers from the navigation pane, and then Fleets.
Choose the fleet ID that contains the instance you want to access.
On the fleet details page, choose the Instances tab to view all compute instances for the fleet.
Select the instance you want to connect to, then choose Connect. This displays the Connect to instance dialog which informs you of the details of the connection, and allows you to view the script that will be used to connect to your instance. Confirm by choosing Connect again.
In the connection dialog, choose Run to create a new SSM session. The system authenticates your session through AWS Key Management Service (AWS KMS) and opens a terminal in your browser.

Note

Console-based remote access is available for fleets running server SDK version 5.x. For fleets running earlier SDK versions, use the AWS CLI method described in the following section.

Remote access with the AWS CLI

The following instructions describe how to remotely connect to an instance using the AWS command line interface (CLI). You can also make programmatic calls using the AWS SDK, as documented in the service API reference for Amazon GameLift Servers.

Gather instance data

To connect to an Amazon GameLift Servers managed EC2 fleet instance, you need the following information:

The ID of the instance you want to connect to. You can use either the instance ID or ARN.
the server SDK for Amazon GameLift Servers version being used on the instance. The server SDK is integrated with the game build that is running on the instance.

The following instructions describe how complete these tasks using the AWS CLI. You must know the fleet ID for the instance you want to connect to.

Get the compute name. Get a list of all active computes in the fleet. Call list-compute with a fleet ID or ARN. For a single-location fleet, specify the fleet identifier only. For a multi-location fleet, specify the fleet identifier and a location. With managed EC2 fleets, list-compute returns a list of fleet instances, and the property ComputeName is the instance ID. Find the compute you want to access.

Request


aws gamelift list-compute \
  --fleet-id  fleet-2222bbbb-33cc-44dd-55ee-6666ffff77aa \
  --location sa-east-1

Response


{
  "ComputeList": [
    {
      "FleetId": "fleet-2222bbbb-33cc-44dd-55ee-6666ffff77aa",
      "FleetArn": "arn:aws:gamelift:us-west-2::fleet/fleet-2222bbbb-33cc-44dd-55ee-6666ffff77aa",
      "ComputeName": "i-0abc12d3e45fa6b78",
      "IpAddress": "00.00.000.00",
      "DnsName": "b08444ki909kvqu6zpw3is24x5pyz4b6m05i3jbxvpk9craztu0lqrbbrbnbkks.uwp57060n1k6dnlnw49b78hg1rw4rcz7.us-west-2.amazongamelift.com",
      "ComputeStatus": "Active",
      "Location": "sa-east-1",
      "CreationTime": "2023-07-09T22:51:45.931000-07:00",
      "OperatingSystem": "AMAZON_LINUX_2023",
      "Type": "c4.large"
    }
  ]
}

Find the server SDK version. For this information you need to look up the build that is deployed to the fleet. Server SDK version is a build property.

Call describe-fleet-attributes with a fleet ID or ARN to get the fleet's build ID and ARN.
Call describe-build with the build ID or ARN to get the build's server SDK version.

For example:

Request


aws gamelift describe-fleet-attributes \
  --fleet-ids  fleet-2222bbbb-33cc-44dd-55ee-6666ffff77aa

Response


{
  "FleetAttributes": [
    {
      "FleetId": "fleet-2222bbbb-33cc-44dd-55ee-6666ffff77aa",
      "ComputeType": "EC2",
      "BuildId": "build-3333cccc-44dd-55ee-66ff-00001111aa22",
      . . .
    }
  ]
}

Request


aws gamelift describe-build \
  --build-id build-3333cccc-44dd-55ee-66ff-00001111aa22

Response


"Build": {
  "BuildId": "build-1111aaaa-22bb-33cc-44dd-5555eeee66ff",
  "Name": "My_Game_Server_Build_One",
  "OperatingSystem": "AMAZON_LINUX_2023",
  "ServerSdkVersion": "5.1.1",
  . . .
}

Connect to an instance (server SDK 5)

If the instance you want to connect to is running a game build with server SDK version 5.x, connect to the instance using Amazon EC2 Systems Manager (SSM). You can access remote instances that are running either Windows or Linux. For container fleets, after connecting to the instance, you can access individual containers running on it. For more information, see Connect to containers.

Before you start:

Complete the SSM setup steps and install the SSM plugin on your local machine. For more information, see Setting up SSM and Install the Session Manager plugin for the AWS CLI in the Amazon EC2 Systems Manager User Guide.

Request access credentials for the instance. Call get-compute-access with the fleet ID and the compute name for the instance you want to connect to. Amazon GameLift Servers returns a set of temporary credentials for accessing the instance. For example:

Request


aws gamelift get-compute-access \
--compute-name i-11111111a222b333c \
--fleet-id fleet-2222bbbb-33cc-44dd-55ee-6666ffff77aa
--region us-west-2

Response


{
  "ComputeName": "i-11111111a222b333c",
  "Credentials": {
    "AccessKeyId": "ASIAIOSFODNN7EXAMPLE",
    "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
    "SessionToken": "AQoDYXdzEJr...<remainder of session token>"
  },
  "FleetArn": "arn:aws:gamelift:us-west-2::fleet/fleet-2222bbbb-33cc-44dd-55ee-6666ffff77aa",
  "FleetId": "fleet-2222bbbb-33cc-44dd-55ee-6666ffff77aa"
}

Export the access credentials (optional). You can export the credentials to environment variables and use them to configure the AWS CLI for the default user. For more details, see Environment variables to configure the AWS CLI in the AWS Command Line Interface User Guide.
```
export AWS_ACCESS_KEY_ID=ASIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_SESSION_TOKEN=AQoDYXdzEJr...<remainder of session token>
```
Connect to the fleet instance. Start an SSM session with the instance you want to connect to. Include the AWS Region or location of the instance. For more information, including how to set up SSM and the SSM plugin, see Starting a session (AWS CLI) in the Amazon EC2 Systems Manager User Guide.

The start-session request will automatically use the credentials that you acquired in Step 1.
```
aws ssm start-session \
--target i-11111111a222b333c \
--region us-west-2 \
```
Note
If you get an access denied error, you might have an AWS_PROFILE environment variable set to an AWS profile, which causes AWS CLI to use the wrong credentials for remote access. To resolve, temporarily unset your AWS_PROFILE environment variable. Alternatively, you can create a custom AWS profile for your remote access credentials and add the --profile command line parameter to your start-session request.

Connect to an instance (server SDK 4.x or earlier)

If the instance you want to connect to is running a game build with server SDK version 4 or earlier, use the following instructions. You can connect to instances that are running either Windows or Linux. Connect to a Windows instance using a remote desktop protocol (RDP) client. Connect to a Linux instance using an SSH client.

Request access credentials for the instance. When you have an instance ID, use the command get-instance-access to request access credentials. If successful, Amazon GameLift Servers returns the instance's operating system, IP address, and a set of credentials (user name and secret key). The credentials format depends on the instance operating system. Use the following instructions to retrieve credentials for either RDP or SSH.

For Windows instances – To connect to a Windows instance, RDP requires a user name and password. The get-instance-access request returns these values as simple strings, so you can use the returned values as is. Example credentials:
```
"Credentials": {
    "Secret": "aA1bBB2cCCd3EEE",
    "UserName": "gl-user-remote"
}
```

For Linux instances – To connect to a Linux instance, SSH requires a user name and private key. Amazon GameLift Servers issues RSA private keys and returns them as a single string, with the newline character (\n) indicating line breaks. To make the private key usable, take these steps: (1) convert the string to a .pem file, and (2) set permissions for the new file. Example credentials returned:


"Credentials": {
    "Secret": "-----BEGIN RSA PRIVATE KEY-----nEXAMPLEKEYKCAQEAy7WZhaDsrA1W3mRlQtvhwyORRX8gnxgDAfRt/gx42kWXsT4rXE/b5CpSgie/\nvBoU7jLxx92pNHoFnByP+Dc21eyyz6CvjTmWA0JwfWiW5/akH7iO5dSrvC7dQkW2duV5QuUdE0QW\nZ/aNxMniGQE6XAgfwlnXVBwrerrQo+ZWQeqiUwwMkuEbLeJFLhMCvYURpUMSC1oehm449ilx9X1F\nG50TCFeOzfl8dqqCP6GzbPaIjiU19xX/azOR9V+tpUOzEL+wmXnZt3/nHPQ5xvD2OJH67km6SuPW\noPzev/D8V+x4+bHthfSjR9Y7DvQFjfBVwHXigBdtZcU2/wei8D/HYwIDAQABAoIBAGZ1kaEvnrqu\n/uler7vgIn5m7lN5LKw4hJLAIW6tUT/fzvtcHK0SkbQCQXuriHmQ2MQyJX/0kn2NfjLV/ufGxbL1\nmb5qwMGUnEpJaZD6QSSs3kICLwWUYUiGfc0uiSbmJoap/GTLU0W5Mfcv36PaBUNy5p53V6G7hXb2\nbahyWyJNfjLe4M86yd2YK3V2CmK+X/BOsShnJ36+hjrXPPWmV3N9zEmCdJjA+K15DYmhm/tJWSD9\n81oGk9TopEp7CkIfatEATyyZiVqoRq6k64iuM9JkA3OzdXzMQexXVJ1TLZVEH0E7bhlY9d8O1ozR\noQs/FiZNAx2iijCWyv0lpjE73+kCgYEA9mZtyhkHkFDpwrSM1APaL8oNAbbjwEy7Z5Mqfql+lIp1\nYkriL0DbLXlvRAH+yHPRit2hHOjtUNZh4Axv+cpg09qbUI3+43eEy24B7G/Uh+GTfbjsXsOxQx/x\np9otyVwc7hsQ5TA5PZb+mvkJ5OBEKzet9XcKwONBYELGhnEPe7cCgYEA06Vgov6YHleHui9kHuws\nayav0elc5zkxjF9nfHFJRry21R1trw2Vdpn+9g481URrpzWVOEihvm+xTtmaZlSp//lkq75XDwnU\nWA8gkn6O3QE3fq2yN98BURsAKdJfJ5RL1HvGQvTe10HLYYXpJnEkHv+Unl2ajLivWUt5pbBrKbUC\ngYBjbO+OZk0sCcpZ29sbzjYjpIddErySIyRX5gV2uNQwAjLdp9PfN295yQ+BxMBXiIycWVQiw0bH\noMo7yykABY7Ozd5wQewBQ4AdSlWSX4nGDtsiFxWiI5sKuAAeOCbTosy1s8w8fxoJ5Tz1sdoxNeGs\nArq6Wv/G16zQuAE9zK9vvwKBgF+09VI/1wJBirsDGz9whVWfFPrTkJNvJZzYt69qezxlsjgFKshy\nWBhd4xHZtmCqpBPlAymEjr/TOlbxyARmXMnIOWIAnNXMGB4KGSyl1mzSVAoQ+fqR+cJ3d0dyPl1j\njjb0Ed/NY8frlNDxAVHE8BSkdsx2f6ELEyBKJSRr9snRAoGAMrTwYneXzvTskF/S5Fyu0iOegLDa\nNWUH38v/nDCgEpIXD5Hn3qAEcju1IjmbwlvtW+nY2jVhv7UGd8MjwUTNGItdb6nsYqM2asrnF3qS\nVRkAKKKYeGjkpUfVTrW0YFjXkfcrR/V+QFL5OndHAKJXjW7a4ejJLncTzmZSpYzwApc=\n-----END RSA PRIVATE KEY-----",
    "UserName": "gl-user-remote"
}

When using the AWS CLI, you can automatically generate a .pem file by including the --query and --output parameters to your get-instance-access request.

To set permissions on the .pem file, run the following command:


$ chmod 400 MyPrivateKey.pem

Open a port for the remote connection. You can access instances in Amazon GameLift Servers fleets through any port authorized in the fleet configuration. You can view a fleet's port settings using the command describe-fleet-port-settings.

As a best practice, we recommend opening ports for remote access only when you need them and closing them when you're finished. You can't update port settings after creating a fleet but before it's active. If you get stuck, re-create the fleet with the port settings open.

Use the command update-fleet-port-settings to add a port setting for the remote connection (such as 22 for SSH or 3389 for RDP). For the IP range value, specify the IP addresses for the devices you plan to use to connect (converted to CIDR format). Example:
```
$ AWS gamelift update-fleet-port-settings
    --fleet-id  "fleet-2222bbbb-33cc-44dd-55ee-6666ffff77aa"
    --inbound-permission-authorizations "FromPort=22,ToPort=22,IpRange=54.186.139.221/32,Protocol=TCP"
```
The following example opens up port 3389 on a Windows fleet
```
$ AWS gamelift update-fleet-port-settings
--fleet-id  "fleet-2222bbbb-33cc-44dd-55ee-6666ffff77aa"
    --inbound-permission-authorizations "FromPort=3389,ToPort=3389,IpRange=54.186.139.221/32,Protocol=TCP"
```
Open a remote connection client. Use Remote Desktop for Windows or SSH for Linux instances. Connect to the instance using the IP address, port setting, and access credentials.

SSH example:
```
ssh -i MyPrivateKey.pem gl-user-remote@192.0.2.0
```

View files on remote instances

Once connected to a fleet instance, you have full user and administrative access. This means you also have the ability to cause errors or failures with game hosting. If the instance is hosting games with active players, you might run the risk of crashing game sessions and dropping players, or disrupting game shutdown processes which could cause errors in saved game data and logs.

For container fleets, after accessing the container (see Connect to containers), the following file locations apply within the container filesystem. For EC2 fleets, these file locations apply directly on the instance.

Look for these resources on a hosting instance:

Game build files. These files are the game build that you uploaded to Amazon GameLift Servers. They include one or more game server executables, assets, and dependencies. Game build files are in a root directory called game:
- On Windows: c:\game
- On Linux: /local/game
Game log files. Find the log files that your game server generates in the game root directory at whatever directory path you designated.
Amazon GameLift Servers hosting resources. The root directory Whitewater contains files used by the Amazon GameLift Servers service to manage game hosting activity. Don't modify these files for any reason.
Runtime configuration. Don't access runtime configuration for individual instances. To make changes to a runtime configuration property, update the fleet's runtime configuration (see the AWS SDK operation UpdateRuntimeConfiguration or the AWS CLI update-runtime-configuration).
Fleet data. A JSON file contains information about the fleet that the instance belongs to, for use by server processes running on the instance. The JSON file is in the following location:
- On Windows: C:\GameMetadata\gamelift-metadata.json
- On Linux: /local/gamemetadata/gamelift-metadata.json
TLS certificates. If the instance is on a fleet that has TLS certificate generation enabled, look for certificate files, including the certificate, certificate chain, private key, and root certificate in the following location:
- On Windows: c:\\GameMetadata\Certificates
- On Linux: /local/gamemetadata/certificates/

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Remotely access fleet resources

Connect to containers