IAM policy examples for GameLift - Amazon GameLift
Simple policy examples for administratorsSimple policy examples for players
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

IAM policy examples for GameLift

You can use the following examples to create inline policies and add the appropriate permissions to your Amazon Identity and Access Management (IAM) users or user groups.

Simple policy examples for administrators

These IAM policy examples illustrate how to provide full administrative access to a user.

Policy for GameLift resource permissions

The following policy example covers access to all GameLift-related resources (fleets, queues, game sessions, matchmakers, etc.). All users who manage or view these resources need this type of permissions policy.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "gamelift:*",
    "Resource": "*"
  }
}

Policy for GameLift resource permissions with opt-in Amazon Region support

If you choose to use a multi-location fleet with instances in opt-in Regions, you must enable the Region for your account. Also, your GameLift administrator policy must allow the ec2:DescribeRegions action. For more information about opt-in Regions and how to enable them, see Managing Amazon Regions in the Amazon General Reference. The following policy includes support for opt-in Regions.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "ec2:DescribeRegions",
      "gamelift:*"
    ],
    "Resource": "*"
  }
}

Policy for GameLift resource and PassRole permissions

This policy example provides access to GameLift-related resources as above. It also allows the user to pass an IAM service role to GameLift. Not all users need the PassRole permission; this permission is used to give GameLift limited ability to access resources in other services on your behalf. For example, you need this permission when calling CreateBuild with an IAM role that allows GameLift to access your build files in an Amazon Simple Storage Service (Amazon S3) bucket. For more information on PassRole, see IAM: Pass an IAM role to a specific Amazon service in the IAM User Guide.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "gamelift:*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": "gamelift.amazonaws.com"
        }
      }
    }
  ]
}

Simple policy examples for players

The following IAM policy examples illustrate how to enable game clients and/or game client services with the functionality to get players into game sessions. These examples cover the key scenarios that games might use to start new game sessions and assign players to available player slots.

Policy for game session placements

This policy example is for a game client service that uses game session queues and placements to start new game sessions. Players might be added to a game session either in the initial placement request or by creating new player sessions for an existing game session.

{
  "Version": "2012-10-17",
  "Statement": {
    "Sid": "PlayerPermissionsForGameSessionPlacements",
    "Effect": "Allow",
    "Action": [
      "gamelift:StartGameSessionPlacement",
      "gamelift:DescribeGameSessionPlacement",
      "gamelift:StopGameSessionPlacement",
      "gamelift:CreatePlayerSession",
      "gamelift:CreatePlayerSessions",
      "gamelift:DescribeGameSessions"
    ],
    "Resource": "*"
  }
}

Policy for matchmaking

This policy example is for a game client or client service that uses GameLift FlexMatch matchmaking. Players might be matched and placed into a new game session or they might be added to an existing game session through the backfill process. 

{
  "Version": "2012-10-17",
  "Statement": {
    "Sid": "PlayerPermissionsForGameSessionMatchmaking",
    "Effect": "Allow",
    "Action": [
      "gamelift:StartMatchmaking",
      "gamelift:DescribeMatchmaking",
      "gamelift:StopMatchmaking",
      "gamelift:AcceptMatch",
      "gamelift:StartMatchBackfill",
      "gamelift:DescribeGameSessions"
    ],
    "Resource": "*"
  }
}

Policy for manual game session placement

This policy example is for a game client or client service that creates new game sessions on specific fleets and might create new player sessions in specific game sessions. This scenario supports a game that uses the "list-and-pick" method to let players choose from list of available game sessions.

{
  "Version": "2012-10-17",
  "Statement": {
    "Sid": "PlayerPermissionsForManualGameSessions",
    "Effect": "Allow",
    "Action": [
      "gamelift:CreateGameSession",
      "gamelift:DescribeGameSessions",
      "gamelift:SearchGameSessions",
      "gamelift:CreatePlayerSession",
      "gamelift:CreatePlayerSessions",
      "gamelift:DescribePlayerSessions"
    ],
    "Resource": "*"
  }
}