# Game server build customizations
Game server build customizations offer opportunities to enhance functionality to the game server, including taking advantage of other AWS services. These customizations extend your game server capabilities beyond basic hosting to support advanced features and integrations.
# Connect your Amazon GameLift Servers hosted game server to other AWS resources
When you're creating a game server build for deployment on Amazon GameLift Servers fleets, you might want the applications in your game build to communicate directly and securely with other AWS resources that you own. Because Amazon GameLift Servers manages your game hosting fleets, you must give Amazon GameLift Servers limited access to these resources and services.
Some example scenarios include:
+ Use an Amazon CloudWatch agent to collect metrics, logs, and traces from managed EC2 fleets and Anywhere fleets.
+ Send instance log data to Amazon CloudWatch Logs.
+ Obtain game files stored in an Amazon Simple Storage Service (Amazon S3) bucket.
+ Read and write game data (such as game modes or inventory) stored in an Amazon DynamoDB database or other data storage service.
+ Send signals directly to an instance using Amazon Simple Queue Service (Amazon SQS).
+ Access custom resources that are deployed and running on Amazon Elastic Compute Cloud (Amazon EC2).
Amazon GameLift Servers supports these methods for establishing access:
+ [Access AWS resources with an IAM role](#gamelift-sdk-server-resources-roles)
+ [Access AWS resources with VPC peering](#gamelift-sdk-server-resources-vpc)
## Access AWS resources with an IAM role
Use an IAM role to specify who can access your resources and set limits on that access. Trusted parties can "assume" a role and get temporary security credentials that authorize them to interact with the resources. When the parties make API requests related to the resource, they must include the credentials.
To set up access controlled by an IAM role, do the following tasks:
1. [Create the IAM role](#gamelift-sdk-server-resources-roles-create)
1. [Modify applications to acquire credentials](#gamelift-sdk-server-resources-roles-apps)
1. [Associate a fleet with the IAM role](#gamelift-sdk-server-resources-roles-fleet)
### Create the IAM role
In this step, you create an IAM role, with a set of permissions to control access to your AWS resources and a trust policy that gives Amazon GameLift Servers rights to use the role's permissions.
For instructions on how to set up the IAM role , see [Set up an IAM service role for Amazon GameLift Servers](setting-up-role.md). When creating the permissions policy, choose specific services, resources, and actions that your applications need to work with. As a best practice, limit the scope of the permissions as much as possible.
After you create the role, take note of the role's Amazon Resource Name (ARN). You need the role ARN during fleet creation.
### Modify applications to acquire credentials
In this step, you configure your applications to acquire security credentials for the IAM role and use them when interacting with your AWS resources . See the following table to determine how to modify your applications based on (1) the type of application, and (2) the server SDK version your game uses to communicate with Amazon GameLift Servers.
| | Game server applications | Other applications |
| --- | --- | --- |
| **Using server SDK version 5.x** | Call the server SDK method `GetFleetRoleCredentials()` from your game server code. | Add code to the application to pull credentials from a shared file on the fleet instance. |
| **Using server SDK version 4 or earlier** | Call AWS Security Token Service (AWS STS) `[AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html)` with the role ARN. | Call AWS Security Token Service (AWS STS) `[AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html)` with the role ARN. |
**Note**
For container fleets, `FleetRoleArn` credentials are injected into each container. Your applications can use the default AWS credentials provider to access these credentials. You can still call `GetFleetRoleCredentials()`, which returns the same credentials. These fleet role credentials are only accessible inside containers.
For games integrated with server SDK 5.x, this diagram illustrates how applications in your deployed game build can acquire credentials for the IAM role.
![\[Game executables call GetFleetRoleCredentials(). Other files use locally stored shared credentials.\]](http://docs.aws.amazon.com/gameliftservers/latest/developerguide/images/instance-role-creds_vsd.png)
#### Call `GetFleetRoleCredentials()` (server SDK 5.x)
In your game server code, which should already be integrated with the Amazon GameLift Servers server SDK 5.x, call `GetFleetRoleCredentials` ([C\$1\$1](integration-server-sdk5-cpp-actions.md#integration-server-sdk5-cpp-getfleetrolecredentials)) ([C\$1](integration-server-sdk5-csharp-actions.md#integration-server-sdk5-csharp-getfleetrolecredentials)) ([Unreal](integration-server-sdk5-unreal-actions.md#integration-server-sdk5-unreal-getfleetrolecredentials)) ([Go](integration-server-sdk-go-actions.md#integration-server-sdk-go-getfleetrolecredentials)) to retrieve a set of temporary credentials. When the credentials expire, you can refresh them with another call to `GetFleetRoleCredentials`.
#### Use shared credentials (server SDK 5.x)
For non-server applications that are deployed with game server builds using server SDK 5.x, add code to get and use credentials stored in a shared file. Amazon GameLift Servers generates a credentials profile for each fleet instance. The credentials are available for use by all applications on the instance. Amazon GameLift Servers continually refreshes the temporary credentials.
You must configure a fleet to generate the shared credentials file on fleet creation.
In each application that needs to use the shared credentials file, specify the file location and profile name, as follows:
Windows:
```
[credentials]
shared_credential_profile= "FleetRoleCredentials"
shared_credential_file= "C:\\Credentials\\credentials"
```
Linux:
```
[credentials]
shared_credential_profile= "FleetRoleCredentials"
shared_credential_file= "/local/credentials/credentials"
```
**Example: Set up a CloudWatch agent to collect metrics for Amazon GameLift Servers fleet instances**
If you want to use an Amazon CloudWatch agent to collect metrics, logs, and traces from your Amazon GameLift Servers fleets, use this method to authorize the agent to emit the data to your account. In this scenario, take the following steps:
1. Retrieve or write the CloudWatch agent `config.json` file.
1. Update the `common-config.toml` file for the agent to identify the credentials file name and profile name, as described above.
1. Set up your game server build install script to install and start the CloudWatch agent.
#### Use `AssumeRole()` (server SDK 4)
Add code to your applications to assume the IAM role and get credentials to interact with your AWS resources. Any application that runs on an Amazon GameLift Servers fleet instance with server SDK 4 or earlier can assume the IAM role.
In the application code, before accessing an AWS resource, the application must call the AWS Security Token Service (AWS STS) `[AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html)` API operation and specify the role ARN. This operation returns a set of temporary credentials that authorizes the application to access to the AWS resource. For more information, see [Using temporary credentials with AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) in the *IAM User Guide*.
### Associate a fleet with the IAM role
After you've created the IAM role and updated the applications in your game server build to get and use the access credentials, you can deploy a fleet. When you configure the new fleet, set the following parameters.
For container fleets:
+ [FleetRoleArn](https://docs.aws.amazon.com/gameliftservers/latest/apireference/API_CreateContainerFleet.html#gameliftservers-CreateContainerFleet-request-FleetRoleArn) – Set this parameter to the ARN of the IAM role.
For other fleet types:
+ [ InstanceRoleArn](https://docs.aws.amazon.com/gameliftservers/latest/apireference/API_FleetAttributes.html#gamelift-Type-FleetAttributes-InstanceRoleArn) – Set this parameter to the ARN of the IAM role.
+ [ InstanceRoleCredentialsProvider](https://docs.aws.amazon.com/gameliftservers/latest/apireference/API_FleetAttributes.html#gamelift-Type-FleetAttributes-InstanceRoleCredentialsProvider) – To prompt Amazon GameLift Servers to generate a shared credentials file for each fleet instance, set this parameter to `SHARED_CREDENTIAL_FILE`.
You must set these values when you create the fleet. They can't be updated later.
## Access AWS resources with VPC peering
You can use Amazon Virtual Private Cloud (Amazon VPC) peering to communicate between applications running on a Amazon GameLift Servers instance and another AWS resource. A VPC is a virtual private network that you define that includes a set of resources managed through your AWS account. Each Amazon GameLift Servers fleet has its own VPC. With VPC peering, you can establish a direct network connection between the VPC for your fleet and for your other AWS resources.
Amazon GameLift Servers streamlines the process of setting up VPC peering connections for your game servers. It handles peering requests, updates route tables, and configures the connections as required. For instructions about how to set up VPC peering for your game servers, see [Set up VPC peering for Amazon GameLift Servers](vpc-peering.md).
**Note**
VPC peering is not supported for container fleets.
# Let your game server access Amazon GameLift Servers fleet data
There are some situations where your custom game build or Amazon GameLift Servers Realtime script may require information about the Amazon GameLift Servers fleet. For example, your game build or script might include code to:
+ Monitor activity based on fleet data.
+ Roll up metrics to track activity by fleet data. (Many games use this data for LiveOps activities.)
+ Provide relevant data to custom game services, such as for matchmaking, additional capacity scaling, or testing.
Fleet information is available as a JSON file on each instance in the following locations:
+ Windows: `C:\GameMetadata\gamelift-metadata.json`
+ Linux: `/local/gamemetadata/gamelift-metadata.json`
The `gamelift-metadata.json` file includes the [attributes of an Amazon GameLift Servers fleet resource](https://docs.aws.amazon.com/gamelift/latest/apireference/API_FleetAttributes.html).
Example JSON file:
```
{
"buildArn":"arn:aws:gamelift:us-west-2:123456789012:build/build-1111aaaa-22bb-33cc-44dd-5555eeee66ff",
"buildId":"build-1111aaaa-22bb-33cc-44dd-5555eeee66ff",
"fleetArn":"arn:aws:gamelift:us-west-2:123456789012:fleet/fleet-2222bbbb-33cc-44dd-55ee-6666ffff77aa",
"fleetDescription":"Test fleet for Really Fun Game v0.8",
"fleetId":"fleet-2222bbbb-33cc-44dd-55ee-6666ffff77aa",
"name":"ReallyFunGameTestFleet08",
"fleetType":"ON_DEMAND",
"instanceRoleArn":"arn:aws:iam::123456789012:role/S3AccessForGameLift",
"instanceType":"c5.large",
"serverLaunchPath":"/local/game/reallyfungame.exe"
}
```
# Set up VPC peering for Amazon GameLift Servers
This topic provides guidance on how to set up a VPC peering connection between your Amazon GameLift Servers-hosted game servers and your other non-Amazon GameLift Servers resources. Use Amazon Virtual Private Cloud (VPC) peering connections to enable your game servers to communicate directly and privately with your other AWS resources, such as a web service or a repository. You can establish VPC peering with any resources that run on AWS and are managed by an AWS account that you have access to.
**Note**
VPC peering is an advanced feature. To learn about preferred options for enabling your game servers to communicate directly and privately with your other AWS resources, see [Connect your Amazon GameLift Servers hosted game server to other AWS resources](gamelift-sdk-server-resources.md).
If you're already familiar with Amazon VPCs and VPC peering, understand that setting up peering with Amazon GameLift Servers game servers is somewhat different. You don't have access to the VPC that contains your game servers—it is controlled by the Amazon GameLift Servers service—so you can't directly request VPC peering for it. Instead, you first pre-authorize the VPC with your non-Amazon GameLift Servers resources to accept a peering request from the Amazon GameLift Servers service. Then you trigger Amazon GameLift Servers to request the VPC peering that you just authorized. Amazon GameLift Servers handles the tasks of creating the peering connection, setting up the route tables, and configuring the connection.
## To set up VPC peering for an existing fleet
1.
**Get AWS account ID(s) and credentials.**
You need an ID and sign-in credentials for the following AWS accounts. You can find AWS account IDs by signing into the [AWS Management Console](https://console.aws.amazon.com/) and viewing your account settings. To get credentials, go to the IAM console.
+ AWS account that you use to manage your Amazon GameLift Servers game servers.
+ AWS account that you use to manage your non-Amazon GameLift Servers resources.
If you're using the same account for Amazon GameLift Servers and non-Amazon GameLift Servers resources, you need ID and credentials for that account only.
1.
**Get identifiers for each VPC.**
Get the following information for the two VPCs to be peered:
+ VPC for your Amazon GameLift Servers game servers – This is your Amazon GameLift Servers fleet ID. Your game servers are deployed in Amazon GameLift Servers on a fleet of EC2 instances. A fleet is automatically placed in its own VPC, which is managed by the Amazon GameLift Servers service. You don't have direct access to the VPC, so it is identified by the fleet ID.
+ VPC for your non-Amazon GameLift Servers AWS resources – You can establish a VPC peering with any resources that run on AWS and are managed by an AWS account that you have access to. If you haven't already created a VPC for these resources, see [Getting started with Amazon VPC](https://docs.aws.amazon.com/vpc/latest/userguide/getting-started-ipv4.html). Once you have created a VPC, you can find the VPC ID by signing into the [AWS Management Console](https://console.aws.amazon.com/) for Amazon VPC and viewing your VPCs.
**Note**
When setting up a peering, both VPCs must exist in the same region. The VPC for your Amazon GameLift Servers fleet game servers is in the same region as the fleet.
1.
**Authorize a VPC peering.**
In this step, you are pre-authorizing a future request from Amazon GameLift Servers to peer the VPC with your game servers with your VPC for non-Amazon GameLift Servers resources. This action updates the security group for your VPC.
To authorize the VPC peering, call the service API [ CreateVpcPeeringAuthorization()](https://docs.aws.amazon.com/gamelift/latest/apireference/API_CreateVpcPeeringAuthorization.html) or use the AWS CLI command `create-vpc-peering-authorization`. Make this call using the account that manages your non-Amazon GameLift Servers resources. Identify the following information:
+ Peer VPC ID – This is for the VPC with your non-Amazon GameLift Servers resources.
+ Amazon GameLift Servers AWS account ID – This is the account that you use to manage your Amazon GameLift Servers fleet.
Once you've authorized a VPC peering, the authorization remains valid for 24 hours unless revoked. You can manage your VPC peering authorizations using the following operations:
+ [DescribeVpcPeeringAuthorizations()](https://docs.aws.amazon.com/gamelift/latest/apireference/API_DescribeVpcPeeringAuthorizations.html) (AWS CLI `describe-vpc-peering-authorizations`).
+ [DeleteVpcPeeringAuthorization()](https://docs.aws.amazon.com/gamelift/latest/apireference/API_DeleteVpcPeeringAuthorization.html) (AWS CLI `delete-vpc-peering-authorization`).
1.
**Request a peering connection.**
With a valid authorization, you can request that Amazon GameLift Servers establish a peering connection.
To request a VPC peering, call the service API [CreateVpcPeeringConnection()](https://docs.aws.amazon.com/gamelift/latest/apireference/API_CreateVpcPeeringConnection.html) or use the AWS CLI command `create-vpc-peering-connection`. Make this call using the account that manages your Amazon GameLift Servers game servers. Use the following information to identify the two VPCs that you want to peer:
+ Peer VPC ID and AWS account ID – This is the VPC for your non-Amazon GameLift Servers resources and the account that you use to manage them. The VPC ID must match the ID on a valid peering authorization.
+ Fleet ID – This identifies the VPC for your Amazon GameLift Servers game servers.
1.
**Track the peering connection status.**
Requesting a VPC peering connection is an asynchronous operation. To track the status of a peering request and handle success or failure cases, use one of the following options:
+ Continuously poll with `DescribeVpcPeeringConnections()`. This operation retrieves the VPC peering connection record, including the status of the request. If a peering connection is successfully created, the connection record also contains a CIDR block of private IP addresses that is assigned to the VPC.
+ Handle fleet events associated with VPC peering connections with [DescribeFleetEvents()](https://docs.aws.amazon.com/gamelift/latest/apireference/API_DescribeFleetEvents.html), including success and failure events.
Once the peering connection is established, you can manage it using the following operations:
+ [DescribeVpcPeeringConnections()](https://docs.aws.amazon.com/gamelift/latest/apireference/API_DescribeVpcPeeringConnections.html) (AWS CLI `describe-vpc-peering-connections`).
+ [DeleteVpcPeeringConnection()](https://docs.aws.amazon.com/gamelift/latest/apireference/API_DeleteVpcPeeringConnection.html) (AWS CLI `delete-vpc-peering-connection`).
## To set up VPC peering with a new fleet
You can create a new Amazon GameLift Servers fleet and request a VPC peering connection at the same time.
1.
**Get AWS account ID(s) and credentials.**
You need an ID and sign-in credentials for the following two AWS accounts. You can find AWS account IDs by signing into the [AWS Management Console](https://console.aws.amazon.com/) and viewing your account settings. To get credentials, go to the IAM console.
+ AWS account that you use to manage your Amazon GameLift Servers game servers.
+ AWS account that you use to manage your non-Amazon GameLift Servers resources.
If you're using the same account for Amazon GameLift Servers and non-Amazon GameLift Servers resources, you need ID and credentials for that account only.
1.
**Get the VPC ID for your non-Amazon GameLift Servers AWS resources.**
If you haven't already created a VPC for these resources, do so now (see [Getting started with Amazon VPC](https://docs.aws.amazon.com/vpc/latest/userguide/getting-started-ipv4.html)). Be sure that you create the new VPC in the same region where you plan to create your new fleet. If your non-Amazon GameLift Servers resources are managed under a different AWS account or user/user group than the one you use with Amazon GameLift Servers, you'll need to use these account credentials when requesting authorization in the next step.
Once you have created a VPC, you can locate the VPC ID in Amazon VPC console by viewing your VPCs.
1.
**Authorize a VPC peering with non-Amazon GameLift Servers resources.**
When Amazon GameLift Servers creates the new fleet and a corresponding VPC, it also sends a request to peer with the VPC for your non-Amazon GameLift Servers resources. You need to pre-authorize that request. This step updates the security group for your VPC.
Using the account credentials that manage your non-Amazon GameLift Servers resources, call the service API [ CreateVpcPeeringAuthorization()](https://docs.aws.amazon.com/gamelift/latest/apireference/API_CreateVpcPeeringAuthorization.html) or use the AWS CLI command `create-vpc-peering-authorization`. Identify the following information:
+ Peer VPC ID – ID of the VPC with your non-Amazon GameLift Servers resources.
+ Amazon GameLift Servers AWS account ID – ID of the account that you use to manage your Amazon GameLift Servers fleet.
Once you've authorized a VPC peering, the authorization remains valid for 24 hours unless revoked. You can manage your VPC peering authorizations using the following operations:
+ [DescribeVpcPeeringAuthorizations()](https://docs.aws.amazon.com/gamelift/latest/apireference/API_DescribeVpcPeeringAuthorizations.html) (AWS CLI `describe-vpc-peering-authorizations`).
+ [DeleteVpcPeeringAuthorization()](https://docs.aws.amazon.com/gamelift/latest/apireference/API_DeleteVpcPeeringAuthorization.html) (AWS CLI `delete-vpc-peering-authorization`).
1. Follow the instructions for [creating a new fleet using the AWS CLI](fleets-creating.md). Include the following additional parameters:
+ *peer-vpc-aws-account-id* – ID for the account that you use to manage the VPC with your non-Amazon GameLift Servers resources.
+ *peer-vpc-id* – ID of the VPC with your non-Amazon GameLift Servers account.
A successful call to [create-fleet](https://docs.aws.amazon.com/cli/latest/reference/gamelift/create-fleet.html) with the VPC peering parameters generates both a new fleet and a new VPC peering request. The fleet's status is set to **New** and the fleet activation process is initiated. The peering connection request's status is set to **initiating-request**. You can track the success or failure of the peering request by calling [describe-vpc-peering-connections](https://docs.aws.amazon.com/cli/latest/reference/gamelift/describe-vpc-peering-connections.html).
When requesting both a new fleet and a VPC peering connection, both actions either succeed or fail. If a fleet fails during the creation process, the VPC peering connection will not be established. Likewise, if a VPC peering connection fails for any reason, the new fleet will fail to move from status **Activating** to **Active**.
**Note**
The new VPC peering connection is not completed until the fleet is ready to become active. This means that the connection is not available and can't be used during the game server build installation process.
The following example creates both a new fleet and a peering connection between a pre-established VPC and the VPC for the new fleet. The pre-established VPC is uniquely identified by the combination of your non-Amazon GameLift Servers AWS account ID and the VPC ID.
```
$ AWS gamelift create-fleet
--name "My_Fleet_1"
--description "The sample test fleet"
--ec2-instance-type "c5.large"
--fleet-type "ON_DEMAND"
--build-id "build-1111aaaa-22bb-33cc-44dd-5555eeee66ff"
--runtime-configuration "GameSessionActivationTimeoutSeconds=300,
MaxConcurrentGameSessionActivations=2,
ServerProcesses=[{LaunchPath=C:\game\Bin64.dedicated\MultiplayerSampleProjectLauncher_Server.exe,
Parameters=+sv_port 33435 +start_lobby,
ConcurrentExecutions=10}]"
--new-game-session-protection-policy "FullProtection"
--resource-creation-limit-policy "NewGameSessionsPerCreator=3,
PolicyPeriodInMinutes=15"
--ec2-inbound-permissions "FromPort=33435,ToPort=33435,IpRange=0.0.0.0/0,Protocol=UDP"
"FromPort=33235,ToPort=33235,IpRange=0.0.0.0/0,Protocol=UDP"
--metric-groups "EMEAfleets"
--peer-vpc-aws-account-id "111122223333"
--peer-vpc-id "vpc-a11a11a"
```
*Copyable version:*
```
AWS gamelift create-fleet --name "My_Fleet_1" --description "The sample test fleet" --fleet-type "ON_DEMAND" --metric-groups "EMEAfleets" --build-id "build-1111aaaa-22bb-33cc-44dd-5555eeee66ff" --ec2-instance-type "c5.large" --runtime-configuration "GameSessionActivationTimeoutSeconds=300,MaxConcurrentGameSessionActivations=2,ServerProcesses=[{LaunchPath=C:\game\Bin64.dedicated\MultiplayerSampleProjectLauncher_Server.exe,Parameters=+sv_port 33435 +start_lobby,ConcurrentExecutions=10}]" --new-game-session-protection-policy "FullProtection" --resource-creation-limit-policy "NewGameSessionsPerCreator=3,PolicyPeriodInMinutes=15" --ec2-inbound-permissions "FromPort=33435,ToPort=33435,IpRange=0.0.0.0/0,Protocol=UDP" "FromPort=33235,ToPort=33235,IpRange=0.0.0.0/0,Protocol=UDP" --peer-vpc-aws-account-id "111122223333" --peer-vpc-id "vpc-a11a11a"
```
## Troubleshooting VPC peering issues
If you're having trouble establishing a VPC peering connection for your Amazon GameLift Servers game servers, consider these common root causes:
+ An authorization for the requested connection was not found:
+ Check the status of a VPC authorization for the non-Amazon GameLift Servers VPC. It might not exist or it might have expired.
+ Check the regions of the two VPCs you're trying to peer. If they're not in the same region, they can't be peered.
+ The CIDR blocks (see [ Invalid VPC peering connection configurations](https://docs.aws.amazon.com/vpc/latest/peering/invalid-peering-configurations.html#overlapping-cidr)) of your two VPCs are overlapping. The IPv4 CIDR blocks that are assigned to peered VPCs cannot overlap. The CIDR block of the VPC for your Amazon GameLift Servers fleet is automatically assigned and can't be changed, so you'll need to change the CIDR block for of the VPC for your non-Amazon GameLift Servers resources. To resolve this issue:
+ Look up this CIDR block for your Amazon GameLift Servers fleet by calling `DescribeVpcPeeringConnections()`.
+ Go to the Amazon VPC console, find the VPC for your non-Amazon GameLift Servers resources, and change the CIDR block so that they don't overlap.
+ The new fleet did not activate (when requesting VPC peering with a new fleet). If the new fleet failed to progress to **Active** status, there is no VPC to peer with, so the peering connection cannot succeed.