Create IAM roles for cross-service interaction - Amazon GameLift

Create IAM roles for cross-service interaction

In order for Amazon GameLift FleetIQ to work with your Amazon EC2 instances and Auto Scaling groups, you must allow the services to interact with each other. This is done by creating IAM roles in your AWS account and assigning a set of limited permissions. Each role also sspecifies which services can assume the role.

Set up the following roles:

Create a role for Amazon GameLift FleetIQ

This role allows Amazon GameLift FleetIQ to access and modify your Amazon EC2 instances, Auto Scaling groups, and lifecycle hooks as part of its Spot balancing and automatic scaling activities.

Use the IAM console or the AWS CLI to create a role for Amazon GameLift FleetIQ and attach a managed policy with the necessary permissions. For more information on IAM roles and managed policies, see Creating a Role for an AWS Service and AWS Managed Policies.

Console

These steps describe how to create a service role with a managed policy for Amazon GameLift using the AWS Management Console.

  1. Open the IAM console and choose Roles: Create role.

  2. For Select type of trusted entity, choose AWS service.

  3. For Choose a use case, choose GameLift from the list of services. Under Select your use case, the appropriate Amazon GameLift use case is automatically selected. To continue, choose Next: Permissions.

  4. The list Attached permissions policies should contain one policy: GameLiftGameServerGroupPolicy . If this policy is not shown, check the filters or use the search feature to add it to the role. You can view a policy's syntax (choose the ▶ icon to expand), but you cannot change the syntax. When the role is created, you can update the role and attach additional policies to add or remove permissions.

    For Set permissions boundary, keep the default setting (Create role without a permissions boundary). This is an advanced setting that is not required. To continue, choose Next: Tags.

  5. Add tags is an optional setting for resource management. For example, you might want to add tags to this role to track project-specific resource usage by role. To see more information on tagging for IAM roles and other uses, follow the Learn more link. To continue, choose Next: Review.

  6. On the Review page, make the following changes as needed:

    • Enter a role name and optionally update the description.

    • Verify the following:

      • Trusted entities is set to "AWS service: gamelift.amazonaws.com". This value must be updated once the role has been created.

      • Policies includes GameLiftGameServerGroupPolicy.

    To complete the task, choose Create role.

  7. Once the new role has been created, you must manually update the role's trust relationship. Go to the Roles page and choose the new role name to open its summary page. Open the Trust relationships tab and choose Edit trust relationship. In the policy document, update the Service property to include autoscaling.amazonaws.com. The revised Service property should look like this:

    "Service": [ "gamelift.amazonaws.com", "autoscaling.amazonaws.com" ]

    To save your change, choose Update Trust Policy.

The role is now ready. Take note of the role's ARN value, which is displayed at the top of the role's summary page. You will need this information when setting up Amazon GameLift FleetIQ game server groups.

AWS CLI

These steps describe how to create a service role with a managed policy for Amazon GameLift using the AWS CLI.

  1. Create a trust policy file (example: FleetIQtrustpolicyGameLift.json) with the following JSON syntax.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "gamelift.amazonaws.com", "autoscaling.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
  2. Create a new IAM role with iam create-role and associate it with the trust policy JSON file that you just created.

    Windows:

    AWS iam create-role --role-name FleetIQ-role-for-GameLift --assume-role-policy-document file://C:\policies\FleetIQtrustpolicyGameLift.json

    Linux:

    AWS iam create-role --role-name FleetIQ-role-for-GameLift --assume-role-policy-document file://policies/FleetIQtrustpolicyGameLift.json

    When the request is successful, the response includes the properties of the newly created role. Take note of the ARN value. You will need this information when setting up Amazon GameLift FleetIQ game server groups.

  3. Use iam attach-role-policy to attach the managed permissions policy "GameLiftGameServerGroupPolicy".

    AWS iam attach-role-policy --role-name FleetIQ-role-for-GameLift --policy-arn arn:aws:iam::aws:policy/GameLiftGameServerGroupPolicy

    To verify that the permissions policy is attached, call iam list-attached-role-policies with the new role's name.

The role is now ready. You can verify that the IAM role is configured correctly by calling gamelift create-game-server-group with the role-arn property set to the new role's ARN value. When the GameServerGroup enters ACTIVE state, this indicates that Amazon GameLift FleetIQ is able to modify Amazon EC2 and Auto Scaling resources in your account, as expected.

Create a role for Amazon EC2

This role enables your Amazon EC2 resources to communicate with Amazon GameLift FleetIQ. For example, your game servers, which are running on Amazon EC2 instances, need to be able to report health status. Include this role in an IAM instance profile with your Amazon EC2 launch template when creating a Amazon GameLift FleetIQ game server group.

Use the AWS CLI to create a role for Amazon EC2, attach a custom policy with the necessary permissions, and attach the role to an instance profile. For more information, see Creating a Role for an AWS Service.

AWS CLI

These steps describe how to create a service role with custom Amazon GameLift permissions for Amazon EC2 using the AWS CLI.

  1. Create a trust policy file (example: FleetIQtrustpolicyEC2.json) with the following JSON syntax.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
  2. Create a new IAM role with iam create-role and associate it with the trust policy JSON file that you just created.

    Windows:

    AWS iam create-role --role-name FleetIQ-role-for-EC2 --assume-role-policy-document file://C:\policies\FleetIQtrustpolicyEC2.json

    Linux:

    AWS iam create-role --role-name FleetIQ-role-for-EC2 --assume-role-policy-document file://policies/FleetIQtrustpolicyEC2.json

    When the request is successful, the response includes the properties of the newly created role. Take note of the ARN value. You will need this information when setting up your Amazon EC2 launch template.

  3. Create a permissions policy file (example: FleetIQpermissionsEC2.json) with the following JSON syntax.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "gamelift:*", "Resource": "*" } ] }
  4. Use iam put-role-policy to attach the permissions policy JSON file, which you just created, to the new role.

    Windows:

    AWS iam put-role-policy --role-name FleetIQ-role-for-EC2 --policy-name FleetIQ-permissions-for-EC2 --policy-document file://C:\policies\FleetIQpermissionsEC2.json

    Linux:

    AWS iam put-role-policy --role-name FleetIQ-role-for-EC2 --policy-name FleetIQ-permissions-for-EC2 --policy-document file://policies/FleetIQpermissionsEC2.json

    To verify that the permissions policy is attached, call iam list-role-policies with the new role's name.

  5. Create an instance profile with iam create-instance-profile with the new role for use with Amazon EC2. For more information, see Managing Instance Profiles.

    AWS iam create-instance-profile --instance-profile-name FleetIQ-role-for-EC2

    When the request is successful, the response includes the properties of the newly created instance profile.

  6. Use iam add-role-to-instance-profile to attach the role to the instance profile.

    AWS iam add-role-to-instance-profile --role-name FleetIQ-role-for-EC2 --instance-profile-name FleetIQ-role-for-EC2

The role and profile is now ready to be used with an Amazon EC2 launch template.