Set up an IAM service role for Amazon GameLift
Some Amazon GameLift features require you to extend limited access to Amazon resources that you own. You can do this by creating an Amazon Identity and Access Management (IAM) service role. A service role is an IAM role that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see Creating a role to delegate permissions to an Amazon Web Service in the IAM User Guide.
This topic covers service roles that are used with Amazon GameLift hosted solutions. If you use Amazon GameLift FleetIQ to optimize game hosting on your Amazon Elastic Compute Cloud (Amazon EC2) instances, see Set up your Amazon Web Services account for Amazon GameLift FleetIQ.
In the following procedure, create a service role and specify the Amazon GameLift use case. Create custom policies with the provided syntax.
To create a role for an Amazon Web Service (IAM console)
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane of the IAM console, choose Roles, and then choose Create role.
-
Choose the Amazon Web Service role type.
-
Choose the use case for your service. Use cases are defined by the service to include the trust policy that the service requires.
-
Choose Next.
-
If possible, select the policy to use for the permissions policy. Otherwise, choose Create policy to open a new browser tab and create a new policy from scratch. For more information, see Creating IAM policies in the IAM User Guide.
After you create the policy, close that tab and return to your original tab. Select the check box next to the permissions policies that you want the service to have.
Depending on the use case that you selected, the service might let you do any of the following:
-
Nothing, because the service defines the permissions for the role.
-
Choose from a limited set of permissions.
-
Choose from any permissions.
-
Select no policies at this time. However, you can create the policies later, and then attach them to the role.
-
-
(Optional) Set a permissions boundary. This is an advanced feature that is available for service roles, but not for service-linked roles.
Expand the Permissions boundary section and choose Use a permissions boundary to control the maximum role permissions. IAM includes a list of the Amazon managed and customer managed policies in your account. Select the policy to use for the permissions boundary or choose Create policy to open a new browser tab and create a new policy from scratch. For more information, see Creating IAM policies in the IAM User Guide. After you create the policy, close that tab and return to your original tab to select the policy to use for the permissions boundary.
-
Choose Next.
-
For Role name, the degree of role name customization is defined by the service. If the service defines the role's name, you can't edit this option. In other cases, the service might define a prefix for the role and you can enter an optional suffix. For some services, you can specify the entire name of your role.
If possible, enter a role name or role name suffix to help you identify the purpose of this role. Role names must be unique within your Amazon Web Services account, so don't create roles named both
PRODROLE
andprodrole
. When a role name is used in a policy or as part of an ARN, the role name is case sensitive. When a role name appears to customers in the console, such as during the sign-in process, the role name is case insensitive. Because various entities might reference the role, you can't edit the name of the role after it is created. -
(Optional) For Description, enter a description for the new role.
-
Choose Edit in the Step 1: Select trusted entities or Step 2: Select permissions sections to edit the use cases and permissions for the role.
-
(Optional) Add metadata to the role by attaching tags as key-value pairs. For more information about using tags in IAM, see Tagging IAM resources in the IAM User Guide.
-
Review the role, and then choose Create role.
Permission policy syntax
-
Permissions for Amazon GameLift to assume the service role
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "gamelift.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
-
Permissions to access Amazon Regions that aren't enabled by default
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "gamelift.amazonaws.com", "gamelift.ap-east-1.amazonaws.com", "gamelift.me-south-1.amazonaws.com", "gamelift.af-south-1.amazonaws.com", "gamelift.eu-south-1.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }