Menu
Lumberyard
Developer Guide (Version 1.12)

Using the Cloud Canvas Command Line to Manage Roles and Permissions

You can use the lmbr_aws command line tool to manage Cloud Canvas Resource Manager access control. For example, you can use the tool to assume a role when you run a command, or to manage roles, permissions, and role mappings.

Assuming a Role

Most lmbr_aws commands support an --assume-role <role-name> argument. You can use this argument to assume a role when you run a command.

If specified, <role-name> must be the logical resource ID of an IAM role resource defined in either the project-template.json or deployment-access-template.json files.

Note

You should avoid defining roles that have the same name in both files. If you do, the role from the deployment file takes precedence.

If you specify a deployment access role, the actual role used depends on the deployment on which the command is operating. If the --deployment argument has been specified, then the specified deployment is used. If the --deployment argument has not been specified and the user has specified a default deployment, the default deployment is used. If a default deployment has not been specified, the project’s default deployment is used.

lmbr_aws uses uses your configured AWS credentials to assume the specified role. See Using the Cloud Canvas Command Line - Configuration for a description of how the credentials are determined. The credentials must have permission to assume the role. For more information, see Granting a User Permission to Switch Roles.

Before assuming the role, the lmbr_aws tool uses credentials to read project configuration data from AWS. The ProjectAccess managed policy in the project-template.json file and the DeploymentAccess managed policy in the deployment-access-template.json file grant the permissions necessary to read this information. You can attach the corresponding managed policy to any IAM user that works on a project or deployment.

Note that administrative users created for an AWS account normally have permissions to assume roles and read project configuration. Administrative users typically have permission to perform any action on any resource owned by an account.

Role Management Commands

Role management commands manage the AWS::IAM::Role resource definitions in the project-template.json and deployment-access-template.json files. After you use these commands to make changes, you must update the project or deployment access stacks for the changes to take effect. For information about the permissions to perform this action, see Setting Access Permissions.

lmbr_aws role add

Adds an AWS IAM Role resource definition to the project-template.json file or deployment-access-template.json file.

Argument Description
‑‑role <role‑name> Required. The name of the role resource definition.
‑‑project Optional. When present, specifies that the role resource definition be added to the project-template.json file. Otherwise, the role resource definition is added to the deployment-access-template.json file.

lmbr_aws role remove

Removes an AWS IAM role resource definition from the project-template.json file or deployment-access-template.json file.

Argument Description
‑‑role <role‑name> Required. The name of the role resource definition.
‑‑project Optional. When present, specifies that the role resource definition be removed from the project-template.json file. Otherwise, the role resource definition is removed from the deployment-access-template.json file.

lmbr_aws role list

Lists the AWS IAM role definitions in the project-template.json and/or deployment-access-template.json files.

Argument Description
‑‑deployment Optional. Either --deployment or --project can be specified. If --deployment is specified, only the roles in the deployment-access-template.json file are listed.
‑‑project Optional. Either --deployment or --project can be specified. If --project is specified, only the roles in the project-template.json file are listed.

Output

The output is similar to the following example.

Scope Name ---------- ------------------------------------------- Deployment DeploymentAdmin Deployment DeploymentOwner Deployment Player Deployment PlayerLoginRole Project ProjectAdmin Project ProjectOwner Project PlayerAccessTokenExchangeExecution Project ProjectResourceHandlerExecution

Column Description
Scope Indicates whether the role is defined in the deployment-access-template.json or project-template.json file.
Name Shows the resource definition name. This is the "logical" resource name, not the "physical" resource name which identifies an actual instance of the role. To see the physical resource names, use the lmbr_aws project list-resources or lmbr_aws deployment list-resources command.

Permission Metadata Management

The permission metadata management commands manage CloudCanvas Permissions metadata on resource definitions in the resource-group-template.json files. After you use these commands to make changes, you must update the project or deployment access stacks for the changes to take effect. For information about the permissions to perform this action, see Setting Access Permissions.

lmbr_aws permission add

Adds Cloud Canvas Permissions metadata to an resource definition in a resource-group-template.json file.

Argument Description
‑‑resource‑group <resource‑group‑name> Required. The name of a resource group. The metadata will be added to a resource definition in that resource group's resource-group-template.json file.
‑‑resource <resource‑name> Required. The name of the resource definition in the resource-group-template.json file.
‑‑role <abstract-role‑name> Required. Identifies the role that is granted the permission.
‑‑action <action> [<action> ...] Required. The action that is allowed. You can specify more than one action.
‑‑suffix <suffix> [<suffix> ...] Optional. A string appended to the resource ARN. You can specify more than one suffix.

lmbr_aws permission remove

Removes Cloud Canvas Permissions metadata from a resource definition in a resource-group-template.json file.

Argument Description
‑‑resource‑group <resource‑group‑name> Required. The name of a resource group. The metadata is removed from a resource definition in the specified resource group's resource-group-template.json file.
‑‑resource <resource‑name> Required. The name of the resource definition in the resource-group-template.json file.
‑‑role <abstract‑role‑name> Required. Identifies the roles from which permissions are removed.
‑‑action <action> [<action> ...] Optional. The action that is removed. You can specify more than one action. If not specified, all permissions for the role are removed.
‑‑suffix <suffix> [<suffix> ...] Optional. A string appended to the resource ARN, which is removed. You can specify more than one suffix.

lmbr_aws permission list

Removes Cloud Canvas Permissions metadata from an resource definition in a resource-group-template.json file.

Argument Description
‑‑resource‑group <resource‑group‑name> Optional. Lists the metadata from resource definitions in the resource group's resource-group-template.json file. The default lists permissions from all resource groups.
‑‑resource <resource‑name> Optional. The name of the resource definition in the resource-group-template.json file. The default lists metadata from all resource definitions.
‑‑role <abstract‑role‑name> Optional. Lists metadata for the specified abstract role. The default lists metadata for all abstract roles.

Output

The output is similar to the following example.

Resource Group Resource Resource Type Roles Actions ARN Suffixes -------------- -------------------- --------------------- -------------- ---------------------------------------------------- ------------ DynamicContent ContentBucket AWS::S3::Bucket ServiceLambda s3:GetObject /* DynamicContent ContentBucket AWS::S3::Bucket ContentRequest s3:* /* DynamicContent ContentRequest AWS::Lambda::Function Player lambda:InvokeFunction DynamicContent ServiceLambda AWS::Lambda::Function ServiceApi lambda:InvokeFunction DynamicContent StagingSettingsTable AWS::DynamoDB::Table ServiceLambda dynamodb:GetItem, dynamodb:Scan, dynamodb:UpdateItem DynamicContent StagingSettingsTable AWS::DynamoDB::Table ContentRequest dynamodb:GetItem

Column Description
Resource Group Shows the resource group where the permission metadata was found.
Resource Shows the name of the resource definition with the metadata.
Resource Type Shows the type of the resource definition with the metadata.
Roles Shows the abstract roles specified by the permission metadata.
Actions Shows the actions specified by the permission metadata.
ARN Suffixes Shows the suffix added to the resource ARN, as specfied by the permission metadata.

Tip

To see all the resources players have access to through the game client, use the command:

lmbr_aws permission list --role Player

Role Mapping Metadata Management

Role mapping metadata management commands manage CloudCanvas RoleMappings metadata on AWS::IAM:Role resource definitions in the project-template.json and deployment-access-template.json files. After you use these commands to make changes, you must update the project or deployment access stacks for the changes to take effect. For information about the permissions to perform this action, see Setting Access Permissions.

lmbr_aws role-mapping add

Adds Cloud Canvas RoleMappings metadata to an AWS IAM Role definition in the project-template.json or deployment-access-template.json file.

Argument Description
‑‑role <role‑name> Required. The name of the role resource definition.
‑‑pattern <abstract‑role‑pattern> Identifies the abstract roles mapped to the role. Has the form <resource-group-name>.<abstract-role-name>, where <resource-group-name> can be *.
‑‑allow Either --allow or --deny must be specified. Indicates that the permissions requested for the abstract role are allowed.
‑‑deny Either --allow or --deny must be specified. Indicates that the permissions requested for the abstract role are denied.
‑‑project Optional. Indicates that the role definition is in the project-template.json file. The default is for the role definition to be in the deployment-access-template.json file.

lmbr_aws role-mapping remove

Removes an AWS IAM Role resource definition from the project-template.json file or deployment-access-template.json file.

Argument Description
‑‑role <role‑name> Required. The name of the role resource definition.
‑‑pattern <abstract‑role‑pattern> Identifies the abstract roles mapped to the role. Has the form <resource-group-name>.<abstract-role-name>, where <resource-group-name> can be *.
‑‑project Optional. Indicates that the role definition is in the project-template.json file. The default is for the role definition to be in the deployment-access-template.json file.

lmbr_aws role-mapping list

Lists the AWS IAM Role definitions in the project-template.json and/or deployment-access-template.json files.

Argument Description
‑‑role <role‑name> Required. The role definition with the metadata to list. The default is to list metadata from all role definitions.
‑‑pattern <abstract‑role‑pattern> The abstract role pattern specified by the metadata listed. The default is to list metadata with any abstract role pattern.
‑‑deployment Optional. Either --deployment or --project can be specified. Lists metadata from role definitions in the deployment-access-template.json file. The default is to list metadata from role definitions in the project-template.json and deployment-access-template.json files.
‑‑project Optional. Either --deployment or --project can be specified. Lists metadata from role definitions in the project-template.json file. The default is to list metadata from role definitions in the project-template.json and deployment-access-template.json files.

Output

The output is similar to the following example.

Scope Actual Role Abstract Role Effect ---------- ------------------------------- ----------------------------- ------ Deployment DeploymentAdmin *.DeploymentAdmin Allow Deployment DeploymentOwner *.DeploymentAdmin Allow Deployment DeploymentOwner *.DeploymentOwner Allow Deployment Player *.Player Allow Project ProjectAdmin *.ProjectAdmin Allow Project ProjectOwner *.ProjectAdmin Allow Project ProjectOwner *.ProjectOwner Allow

Column Description
Scope Shows whether the role mapping came from the project-template.json or deployment-access-template.json files.
Actual Role Shows the name of the role resource definition with the mapping metadata.
Abstract Role Shows the abstract roles (as specified on permission metadata) that map to the role.
Effect Shows whether the permissions requested for the abstract role are allowed or denied.