# Set up an Amazon user account
<a name="setting-up-aws-login"></a>

**Tip**  
Use these topics to get help with these tasks:   
Get a new Amazon Web Services account for use with Amazon GameLift Servers.
Create a user or group with permissions to work with Amazon GameLift Servers resources.
Set up security credentials (you need these to use the Amazon CLI tools and the Amazon GameLift Servers plugins for Unreal and Unity)


As with all Amazon services, you need an Amazon Web Services account to use the Amazon GameLift Servers service and tools. An Amazon Web Services account serves two primary functions: (1) it gives you a container for all the Amazon resources that you create with the account; and (2) it lets you manage security for your Amazon resources, including setting up user authentication and controlling user access permissions. There's no cost for creating an Amazon Web Services account. 

**Explore Amazon GameLift Servers with or without an Amazon account**  
You **don't** need an Amazon account to:
+ Discover Amazon tools for building, running, and growing game experiences at [Amazon for Gaming](https://www.amazonaws.cn/solutions/industry/gametech/).
+ Learn more about Amazon GameLift Servers in the [product overview, FAQs, and resources](https://www.amazonaws.cn/gamelift/). **Ask Amazon** to find answers to your product questions. (Try this one: "Looking for low-cost options to host my multiplayer game".)
+ For a deeper dive, find out what makes Amazon GameLift Servers work in the [technical documentation](https://docs.amazonaws.cn/gamelift/), including developer guides for hosting and matchmaking, and the service API reference guide.
+ Check out information on [Amazon GameLift Servers pricing](https://www.amazonaws.cn/gamelift/servers/pricing/) and cost optimization techniques. 
+ Get downloads and see code repositories for Amazon GameLift Servers SDKs, plugins, and toolkits. See [Amazon GameLift Servers Getting started](https://www.amazonaws.cn/gamelift/servers/getting-started/). (You need an Amazon Web Services account to use them.)

You **do** need an Amazon account to: 
+ Create and manage Amazon resources using the Amazon Web Services Management Console. 
+ Create and manage Amazon resources using the Amazon Command Line Interface.
+ Use Amazon Q with the In the Amazon GameLift Servers technical documentation to find answers, guidance, and recommendations. 

**Topics**
+ [Sign up for an Amazon Web Services account](#sign-up-for-aws)
+ [Secure IAM users](#secure-an-admin)
+ [Set user permissions for Amazon GameLift Servers](#getting-started-create-iam-user)
+ [Set up programmatic access for users](#getting-started-iam-user-access-keys)
+ [Set up programmatic access for your game](#getting-started-iam-player-user)
+ [IAM permission examples for Amazon GameLift Servers](gamelift-iam-policy-examples.md)
+ [Set up an IAM service role for Amazon GameLift Servers](setting-up-role.md)

## Sign up for an Amazon Web Services account
<a name="sign-up-for-aws"></a>

If you do not have an Amazon Web Services account, use the following procedure to create one.

**To sign up for Amazon Web Services**

1. Open [http://www.amazonaws.cn/](http://www.amazonaws.cn/) and choose **Sign Up**.

1. Follow the on-screen instructions.

Amazon sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [http://www.amazonaws.cn/](http://www.amazonaws.cn/) and choosing **My Account**.

## Secure IAM users
<a name="secure-an-admin"></a>

After you sign up for an Amazon Web Services account, safeguard your administrative user by turning on multi-factor authentication (MFA). For instructions, see [Enable a virtual MFA device for an IAM user (console)](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-iam-user) in the *IAM User Guide*.

To give other users access to your Amazon Web Services account resources, create IAM users. To secure your IAM users, turn on MFA and only give the IAM users the permissions needed to perform their tasks.

For more information about creating and securing IAM users, see the following topics in the *IAM User Guide*: 
+ [Creating an IAM user in your Amazon Web Services account](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_users_create.html)
+ [Access management for Amazon resources](https://docs.amazonaws.cn/IAM/latest/UserGuide/access.html)
+ [Example IAM identity-based policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_examples.html)

## Set user permissions for Amazon GameLift Servers
<a name="getting-started-create-iam-user"></a>

Create additional users or extend access permissions to existing users as needed for your Amazon GameLift Servers resources. As a best practice ([ Security best practices in IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/best-practices.html)), apply least-privilege permissions for all users. For guidance on permissions syntax, see [IAM permission examples for Amazon GameLift Servers](gamelift-iam-policy-examples.md).

Use following instructions to set user permissions based on how you manage the users in your Amazon account. 

To provide access, add permissions to your users, groups, or roles:
+ Users managed in IAM through an identity provider:

  Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
  + Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
  + (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.

When working with IAM users, as a best practice always attach permissions to roles or user groups, not individual users.

## Set up programmatic access for users
<a name="getting-started-iam-user-access-keys"></a>

Users need programmatic access if they want to interact with Amazon outside of the Amazon Web Services Management Console. The Amazon APIs and the Amazon Command Line Interface require access keys. Whenever possible, create temporary credentials that consist of an access key ID, a secret access key, and a security token that indicates when the credentials expire.

To grant users programmatic access, choose one of the following options.


****  

| Which user needs programmatic access? | To | By | 
| --- | --- | --- | 
| IAM | Use short-term credentials to sign programmatic requests to the Amazon CLI or Amazon APIs (directly or by using the Amazon SDKs). | Following the instructions in [Using temporary credentials with Amazon resources](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_credentials_temp_use-resources.html) in the IAM User Guide. | 
| IAM | (Not recommended)Use long-term credentials to sign programmatic requests to the Amazon CLI or Amazon APIs (directly or by using the Amazon SDKs). | Following the instructions in [Managing access keys for IAM users](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_credentials_access-keys.html) in the IAM User Guide. | 

If you use access keys, see [Best practices for managing Amazon access keys](https://docs.amazonaws.cn/accounts/latest/reference/credentials-access-keys-best-practices.html).

## Set up programmatic access for your game
<a name="getting-started-iam-player-user"></a>

Most games use backend services to communicate with Amazon GameLift Servers using the Amazon SDKs. Use a backend service (acting for a game client) to request game sessions, place players into games, and other tasks. These services need programmatic access and security credentials to authenticate calls to the service API for Amazon GameLift Servers. 

For Amazon GameLift Servers, you manage this access by creating a player user in Amazon Identity and Access Management (IAM). Manage player user permissions through one of the following options:
+ Create an IAM role with player user permissions and allow the player user to assume the role when needed. The backend service must include code to assume this role before making requests to Amazon GameLift Servers. In accordance with security best practices, roles provide limited, temporary access. You can use roles for workloads running on Amazon resources ([IAM roles](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles.html)) or outside of Amazon ([IAM Roles Anywhere](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_common-scenarios_non-aws.html)).
+ Create an IAM user group with player user permissions and add your player user to the group. This option gives your player user long-term credentials, which the backend service must store and use when communicating with Amazon GameLift Servers.

For permissions policy syntax, see [Player user permission examples](gamelift-iam-policy-examples.md#iam-policy-admin-game-dev-example). 

For more information on managing permissions for use by a workload, see [IAM Identities: Temporary credentials in IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/id.html#id_temp-creds).