How to configure CloudWatch Agent for GameLift instance?

Hi. I have a question about how to configure CloudWatch Agent for GameLift instance.

Default gamelift metrics doesn’t provide memory/disk usage, so I want to use CloudWatch Agent for it. But when I try it, it doesn work and failed due to “refresh EC2 Instance Tags failed: UnauthorizedOperation: You are not authorized to perform this operation.”

Here is my attempt:

  1. Create IAM accout for CloudWatch Agent.
  2. Create AmazonCloudWatchAgent profile (access key and secret for 1) by calling aws configure command in install.sh
  3. Install / Run CloudWatchAgent in install.sh

After that, CloudWatchAgent is running but send data is failed.

Any ideas?
Thanks.

First a caveat: I have never installed the cloudwatch agent directly on a gamelift hosted EC2 instance so there may be some hidden issues.

Firstly, I would assume you need to use the fleet instance role so you can provided sufficient permissions:

  1. Have set up an instance role with the permissions CloudWatch needs to run the agent: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/create-iam-roles-for-cloudwatch-agent.html

  2. Are assuming this role in your install.sh: https://docs.amazonaws.cn/en_us/gamelift/latest/developerguide/gamelift-sdk-server-resources.html

You should then be in charge of the permissions etc required to run the agent. There may be other permissions (from the OS) that you may not have during install time

The alternative is to send the metrics you require yourself directly from your server. Use the AWS SDK and CloudWatch client to send metric data: https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_PutMetricData.html

There is some useful information here: Sending custom logs and metrics to CloudWatch

You could also send ‘metrics’ via Kinesis and use Kinesis Analytics etc

I’ll ping the GameLift service team to see if they have any further information and to let them know how useful you would find disc/memory metrics from your GameLift instances.

Thanks for information.

  1. Using IAM account directly in GameLift instance does not work well (like mon-put-instance-data.py). Should I use Assuming role and temporary credential for GameLift instance?

  2. Assumed temporary credential has time limit (maximum 12 hours), but GameLift Instance must be running more than it. In this case, should I manually manage CloudWatchAgent? (stop it every 12 hours, re-assume credential, change credential, restart service) so should I make management application for CloudWatchAgent?

I hope that GameLift provides memory/disk usage like other default metrics, cpu usage.

Solved. I created dedicated IAM user for GameLift Instance, which has CloudWatchAgent role. Then setup its credential in install.sh and run CloudWatchAgent. Missing part is setup “shared_credential_profile” explicitly.