# Manage user permissions for Amazon GameLift Servers FleetIQ Create additional users or extend Amazon GameLift Servers FleetIQ access permissions to existing users as needed. Users who work with Amazon GameLift Servers FleetIQ game server groups and the related Amazon EC2 and Auto Scaling services must have permissions to access these services. As a best practice ([ Security best practices in IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/best-practices.html)), apply least-privilege permissions for all users. You can set permissions for individual users or user groups and limit user access by service, action, or resource. Use following instructions to set user permissions based on how you manage the users in your Amazon account. If you use IAM users, as a best practice always attach permissions to roles or user groups, not individual users. + [Permissions syntax for users](gsg-iam-permissions-users-policy.md) + [Additional permissions syntax for use with Amazon CloudFormation](gsg-iam-permissions-users-policycfn.md) To provide access, add permissions to your users, groups, or roles: + Users managed in IAM through an identity provider: Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*. + IAM users: + Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*. + (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*. # Reference: Amazon GameLift Servers FleetIQ\$1policy The following is an example of the Amazon GameLift Servers FleetIQ\$1policy for your reference: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "iam:PassRole" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "gamelift.amazonaws.com" } } }, { "Action": [ "iam:CreateServiceLinkedRole" ], "Effect": "Allow", "Resource": "arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" }, { "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateOrUpdateTags", "autoscaling:DescribeAutoScalingGroups", "autoscaling:ExitStandby", "autoscaling:PutLifecycleHook", "autoscaling:PutScalingPolicy", "autoscaling:ResumeProcesses", "autoscaling:SetInstanceProtection", "autoscaling:UpdateAutoScalingGroup", "autoscaling:DeleteAutoScalingGroup" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ec2:DescribeAvailabilityZones", "ec2:DescribeSubnets", "ec2:RunInstances", "ec2:CreateTags" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "events:PutRule", "events:PutTargets" ], "Effect": "Allow", "Resource": "*" } ] } ``` ------ # Additional permissions for Amazon CloudFormation If you use Amazon CloudFormationto manage your game hosting resources, add the Amazon CloudFormation permissions to the policy syntax. ``` { "Action": [ "autoscaling:DescribeLifecycleHooks", "autoscaling:DescribeNotificationConfigurations", "ec2:DescribeLaunchTemplateVersions" ] "Effect": "Allow", "Resource": "*" } ``` # Set up programmatic access for users Users need programmatic access if they want to interact with Amazon outside of the Amazon Web Services Management Console. The Amazon APIs and the Amazon Command Line Interface require access keys. Whenever possible, create temporary credentials that consist of an access key ID, a secret access key, and a security token that indicates when the credentials expire. To grant users programmatic access, choose one of the following options. **** | Which user needs programmatic access? | To | By | | --- | --- | --- | | IAM | Use short-term credentials to sign programmatic requests to the Amazon CLI or Amazon APIs (directly or by using the Amazon SDKs). | Following the instructions in [Using temporary credentials with Amazon resources](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_credentials_temp_use-resources.html) in the IAM User Guide. | | IAM | (Not recommended)Use long-term credentials to sign programmatic requests to the Amazon CLI or Amazon APIs (directly or by using the Amazon SDKs). | Following the instructions in [Managing access keys for IAM users](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_credentials_access-keys.html) in the IAM User Guide. | If you use access keys, see [ Best practices for managing Amazon access keys](https://docs.amazonaws.cn/accounts/latest/reference/credentials-access-keys-best-practices.html).