Target Audience

This page is primarily intended for users on Pre-Launch or Production plans. If you are on a Private Cloud plan, please visit the Introduction to Metaplay Cloud Infrastructure section for more details.

Overview

Although Metaplay Cloud is a fully managed cloud platform, in rare cases, you might still want to have direct control over certain cloud resources (like the AWS Secrets Manager, for example). Metaplay provides you with limited access to a selection of cloud resources by offering tailored credentials.

Dependencies

• Have successfully logged in with the metaplay-auth CLI tool - Check out Using the metaplay-auth CLI Tool for the tool's usage guide.

Get Kubernetes Credentials

To access the Kubernetes cluster directly, you need a kubeconfig.yaml file. You can generate the file with:

export KUBECONFIG=/path/to/my-kubeconfig
metaplay-auth get-kubeconfig metaplay-idler-develop --output $KUBECONFIG

With a valid kubeconfig.yaml, you can access Kubernetes resources associated with your environment directly:

Kubernetes Namespace

The namespace will be automatically resolved with a tailored kubeconfig.yaml, therefore you don't need to specify a namespace in kubectl commands.

# List the server pods
kubectl get pods -l app=metaplay-server

# Get logs for a pod (-f to follow)
kubectl logs <pod-name> -f

# List Helm deployments, i.e., the game server and possibly load tests
helm ls

metaplay-auth and AWS

As a game server administrator, you may sometimes need to access various underlying AWS resources that the game server relies on. These can include things like the S3 object storage bucket to manage files that the game server might be interacting with, the CloudFront content delivery network distribution when you want to invalidate certain cached objects, and so on.

To get the AWS credentials to access the resources directly:

metaplay-auth get-aws-credentials metaplay-idler-develop

The aws tool allows you to define profiles. The configuration structure of the profiles is flexible and allows you to obtain the credentials from another external process, that in this case can be metaplay-auth, which produces ephemeral AWS credentials in a format that aws accepts.

In the aws config file (typically under ~/.aws/config). Here's how we could define a profile for the game server idler-develop following the prior example:

~/.aws/config

[profile idler-develop-admin]
# For Posix (Mac, Linux, etc)
credential_process = metaplay-auth get-aws-credentials metaplay-idler-develop --format json
# For Windows
credential_process = cmd /C metaplay-auth get-aws-credentials metaplay-idler-develop --format json

After this, we can ensure that we are logged in with metaplay-auth login and just use the regular methods for setting a profile for the aws tool (for example, --profile switches or the AWS_PROFILE environment variable):

$ metaplay-auth login
$ aws sts get-caller-identity --profile idler-develop-admin
{
    "UserId": "AXXXXXXXXXXXXXXXXXXXX:stackapi",
    "Account": "000000000000",
    "Arn": "arn:aws:sts::000000000000:assumed-role/metaplay-p1-idler-develop-gameserver-admin/stackapi"
}

AWS Secrets Manager

Storing secrets outside of game server container images is advisable from a security perspective. All game servers support storing secrets in the AWS Secrets Manager, which the game server can access at runtime.

Game servers and game server administrators can create AWS Secrets Manager secrets by using the AWS credentials obtained via metaplay-auth. An example of how to create, update, and delete AWS Secrets Manager secrets can be found below.

INFO

The path of an AWS Secrets Manager secret is in the format of metaplay/p1/deployments/<Environment ID>/*. For example, in the case of an Environment with an environment ID being idler-develop, the path of the AWS Secrets Manager Secret should be metaplay/p1/deployments/idler-develop/.

You can find the environment ID under the Environment Details page in the Metaplay Portal.

# We assume that you have set AWS credentials and a profile, as described above.
# And your Environment has been created before September 10, 2024.
metaplay-auth get-aws-credentials metaplay-idler-develop

# Create a secret in the eu-west-1 region
aws secretsmanager create-secret \
    --profile idler-develop-admin \
    --region eu-west-1 \
    --name metaplay/p1/deployments/idler-develop/my-secret \
    --secret-string '{"my-secret": "my-value"}'

# Update a secret's value
aws secretsmanager update-secret \
    --profile idler-develop-admin \
    --region eu-west-1 \
    --secret-id metaplay/p1/deployments/idler-develop/my-secret \
    --secret-string 'THESECRETKEY'

# Delete a secret
aws secretsmanager delete-secret \
    --profile idler-develop-admin \
    --region eu-west-1 \
    --secret-id metaplay/p1/deployments/idler-develop/my-secret \
    --force-delete-without-recovery # you can enable this switch to immediately destroy the secret; otherwise, the secret will be deleted after a grace period, during which you cannot reuse the secret name

For more details on AWS Secrets Manager commands, please refer to the AWS CLI's Secrets Manager documentation.

The AWS Secrets Manager supports storing secrets in many formats, the most common being plain text and JSON.

After creating the secret, you can refer to it in the game server runtime options using the aws-sm:// prefix. For example, BigQuery credentials can be loaded from a secret in the following way in the runtime options:

AnalyticsSinkBigQuery:
    # file path to the credentials, or aws-sm:// url for credential from AWS Secrets
    # Manager
    BigQueryCredentialsJsonPath: aws-sm://eu-west-1#metaplay/p1/deployments/idler-develop/my-secret

Alternatively, you can also use the SecretUtil.ResolveSecretAsync API to resolve secrets.