Manage user permissions for Amazon GameLift FleetIQ
Create additional users or extend Amazon GameLift FleetIQ access permissions to existing users as needed. Users who work with Amazon GameLift FleetIQ game server groups and the related Amazon EC2 and Auto Scaling services must have permissions to access these services.
As a best practice ( Security best practices in IAM), apply least-privilege permissions for all users. You can set permissions for individual users or user groups and limit user access by service, action, or resource.
Use following instructions to set user permissions based on how you manage the users in your Amazon account. If you use IAM users, as a best practice always attach permissions to roles or user groups, not individual users.
To provide access, add permissions to your users, groups, or roles:
-
Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in Creating a role for a third-party identity provider (federation) in the IAM User Guide.
-
IAM users:
-
Create a role that your user can assume. Follow the instructions in Creating a role for an IAM user in the IAM User Guide.
-
(Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in Adding permissions to a user (console) in the IAM User Guide.
-
Amazon GameLift FleetIQ_policy
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:PassRole" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "gamelift.amazonaws.com" } } }, { "Action": [ "iam:CreateServiceLinkedRole" ], "Effect": "Allow", "Resource": "arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" }, { "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateOrUpdateTags", "autoscaling:DescribeAutoScalingGroups", "autoscaling:ExitStandby", "autoscaling:PutLifecycleHook", "autoscaling:PutScalingPolicy", "autoscaling:ResumeProcesses", "autoscaling:SetInstanceProtection", "autoscaling:UpdateAutoScalingGroup", "autoscaling:DeleteAutoScalingGroup" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ec2:DescribeAvailabilityZones", "ec2:DescribeSubnets", "ec2:RunInstances", "ec2:CreateTags" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "events:PutRule", "events:PutTargets" ], "Effect": "Allow", "Resource": "*" } ] }
Additional permissions for Amazon CloudFormation
If you use Amazon CloudFormationto manage your game hosting resources, add the Amazon CloudFormation permissions to the policy syntax.
{ "Action": [ "autoscaling:DescribeLifecycleHooks", "autoscaling:DescribeNotificationConfigurations", "ec2:DescribeLaunchTemplateVersions" ] "Effect": "Allow", "Resource": "*" }
Set up programmatic access for users
Users need programmatic access if they want to interact with Amazon outside of the Amazon Web Services Management Console. The Amazon APIs and the Amazon Command Line Interface require access keys. Whenever possible, create temporary credentials that consist of an access key ID, a secret access key, and a security token that indicates when the credentials expire.
To grant users programmatic access, choose one of the following options.
Which user needs programmatic access? | To | By |
---|---|---|
IAM | Use short-term credentials to sign programmatic requests to the Amazon CLI or Amazon APIs (directly or by using the Amazon SDKs). | Following the instructions in Using temporary credentials with Amazon resources in the IAM User Guide. |
IAM | (Not recommended) Use long-term credentials to sign programmatic requests to the Amazon CLI or Amazon APIs (directly or by using the Amazon SDKs). |
Following the instructions in Managing access keys for IAM users in the IAM User Guide. |
If you use access keys, see Best practices for managing Amazon access keys.