IAM permission examples for Amazon GameLift - Amazon GameLift
Administrator permission examplesPlayer user permission examples
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM permission examples for Amazon GameLift

Use the syntax in these examples to set Amazon Identity and Access Management (IAM) permissions for users that need access to Amazon GameLift resources. For more information on managing user permissions, see Manage user permissions for Amazon GameLift. When managing permissions for users outside of the IAM Identity Center, as a best practice always attach permissions to IAM roles or user groups, not individual users.

If you're using Amazon GameLift FleetIQ as a standalone solution, see Set up your Amazon Web Services account for Amazon GameLift FleetIQ.

Administrator permission examples

These examples give a user full access to manage Amazon GameLift game hosting resources.

Example Syntax for Amazon GameLift resource permissions

The following example extends access to all Amazon GameLift resources.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "gamelift:*",
    "Resource": "*"
  }
}
Example Syntax for Amazon GameLift resource permissions with support for Regions that aren't enabled by default

The following example extends access to all Amazon GameLift resources and Amazon Regions that aren't enabled by default. For more information about Regions that aren't enabled by default and how to enable them, see Managing Amazon Web Services Regions in the Amazon Web Services General Reference.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "ec2:DescribeRegions",
      "gamelift:*"
    ],
    "Resource": "*"
  }
}
Example Syntax for Amazon GameLift resource and PassRole permissions

The following example extends access to all Amazon GameLift resources and allows a user to pass an IAM service role to Amazon GameLift. A service role gives Amazon GameLift limited ability to access other resources and services on your behalf, as is described in Set up an IAM service role for Amazon GameLift. For example, when responding to a CreateBuild request, Amazon GameLift needs access to your build files in an Amazon S3 bucket. For more information about the PassRole action, see IAM: Pass an IAM role to a specific Amazon service in the IAM User Guide.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "gamelift:*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": "gamelift.amazonaws.com"
        }
      }
    }
  ]
}

Player user permission examples

These examples allow a backend service or other entity to make API calls to the Amazon GameLift API. They cover the common scenarios for managing game sessions, player sessions, and matchmaking. For more details, see Set up programmatic access for your game.

Example Syntax for game session placement permissions

The following example extends access to the Amazon GameLift APIs that use game session placement queues to create game sessions and manage player sessions. 

{
  "Version": "2012-10-17",
  "Statement": {
    "Sid": "PlayerPermissionsForGameSessionPlacements",
    "Effect": "Allow",
    "Action": [
      "gamelift:StartGameSessionPlacement",
      "gamelift:DescribeGameSessionPlacement",
      "gamelift:StopGameSessionPlacement",
      "gamelift:CreatePlayerSession",
      "gamelift:CreatePlayerSessions",
      "gamelift:DescribeGameSessions"
    ],
    "Resource": "*"
  }
}
Example Syntax for matchmaking permissions

The following example extends access to the Amazon GameLift APIs that manage FlexMatch matchmaking activities. FlexMatch matches players for new or existing game sessions and initiates game session placement for games hosted on Amazon GameLift. For more information about FlexMatch, see What is Amazon GameLift FlexMatch?

{
  "Version": "2012-10-17",
  "Statement": {
    "Sid": "PlayerPermissionsForGameSessionMatchmaking",
    "Effect": "Allow",
    "Action": [
      "gamelift:StartMatchmaking",
      "gamelift:DescribeMatchmaking",
      "gamelift:StopMatchmaking",
      "gamelift:AcceptMatch",
      "gamelift:StartMatchBackfill",
      "gamelift:DescribeGameSessions"
    ],
    "Resource": "*"
  }
}
Example Syntax for manual game session placement permissions

The following example extends access to the Amazon GameLift APIs that manually create game sessions and player sessions on specified fleets. This scenario supports games that don't use placement queues, such as games that let players join by choosing from a list of available game sessions (the "list-and-pick" method).

{
  "Version": "2012-10-17",
  "Statement": {
    "Sid": "PlayerPermissionsForManualGameSessions",
    "Effect": "Allow",
    "Action": [
      "gamelift:CreateGameSession",
      "gamelift:DescribeGameSessions",
      "gamelift:SearchGameSessions",
      "gamelift:CreatePlayerSession",
      "gamelift:CreatePlayerSessions",
      "gamelift:DescribePlayerSessions"
    ],
    "Resource": "*"
  }
}