Create IAM roles for cross-service interaction
In order for GameLift FleetIQ to work with your Amazon EC2 instances and Auto Scaling groups, you must allow the
services to interact with each other. This is done by creating IAM roles in your AWS
account and assigning a set of limited permissions. Each role also sspecifies which services can assume the role.
Set up the following roles:
Create a role for GameLift FleetIQ
This role allows GameLift FleetIQ to access and modify your Amazon EC2 instances, Auto Scaling groups, and
lifecycle hooks as part of its Spot balancing and automatic scaling activities.
Use the IAM console or the AWS CLI to create a role for GameLift FleetIQ and attach a managed
policy with the necessary permissions. For more information on IAM roles and managed
policies, see Creating a Role for an AWS Service and AWS
Managed Policies.
- Console
-
These steps describe how to create a service role with a managed policy for
GameLift using the AWS Management Console.
-
Open the IAM console and choose
Roles: Create role.
-
For Select type of trusted entity, choose AWS
service.
-
For Choose a use case, choose GameLift
from the list of services. Under Select your use case, the
appropriate GameLift use case is automatically selected. To continue, choose
Next: Permissions.
-
The list Attached permissions policies should contain one
policy: GameLiftGameServerGroupPolicy . If this policy is not
shown, check the filters or use the search feature to add it to the role. You can
view a policy's syntax (choose the ▶ icon to expand), but you cannot change
the syntax. When the role is created, you can update the role and attach
additional policies to add or remove permissions.
For Set permissions boundary, keep the default setting
(Create role without a permissions boundary). This is an advanced setting that is
not required. To continue, choose Next: Tags.
-
Add tags is an optional setting for resource management.
For example, you might want to add tags to this role to track project-specific
resource usage by role. To see more information on tagging for IAM roles and
other uses, follow the Learn more link. To continue, choose
Next: Review.
-
On the Review page, make the following changes as needed:
To complete the task, choose Create role.
-
Once the new role has been created, you must manually update the role's trust
relationship. Go to the Roles page and choose the new role
name to open its summary page. Open the Trust relationships
tab and choose Edit trust relationship. In the policy
document, update the Service
property to include
autoscaling.amazonaws.com
. The revised Service
property should look like this:
"Service": [
"gamelift.amazonaws.com",
"autoscaling.amazonaws.com"
]
To save your change, choose Update Trust Policy.
The role is now ready. Take note of the role's ARN value, which is displayed at
the top of the role's summary page. You will need this information when setting up
GameLift FleetIQ game server groups.
- AWS CLI
-
These steps describe how to create a service role with a managed policy for GameLift
using the AWS CLI.
-
Create a trust policy file (example:
FleetIQtrustpolicyGameLift.json
) with the following JSON
syntax.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"gamelift.amazonaws.com",
"autoscaling.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
-
Create a new IAM role with iam create-role and associate it with the trust policy JSON file that
you just created.
Windows:
AWS iam create-role --role-name FleetIQ-role-for-GameLift --assume-role-policy-document file://C:\policies\FleetIQtrustpolicyGameLift.json
Linux:
AWS iam create-role --role-name FleetIQ-role-for-GameLift --assume-role-policy-document file://policies/FleetIQtrustpolicyGameLift.json
When the request is successful, the response includes the properties of the
newly created role. Take note of the ARN value. You will need this information
when setting up GameLift FleetIQ game server groups.
-
Use iam
attach-role-policy to attach the managed permissions policy
"GameLiftGameServerGroupPolicy".
AWS iam attach-role-policy --role-name FleetIQ-role-for-GameLift --policy-arn arn:aws:iam::aws:policy/GameLiftGameServerGroupPolicy
To verify that the permissions policy is attached, call iam
list-attached-role-policies with the new role's name.
The role is now ready. You can verify that the IAM role is configured correctly by
calling gamelift
create-game-server-group with the role-arn
property set to the
new role's ARN value. When the GameServerGroup
enters ACTIVE state, this
indicates that GameLift FleetIQ is able to modify Amazon EC2 and Auto Scaling resources in your account, as
expected.
Create a role for Amazon EC2
This role enables your Amazon EC2 resources to communicate with GameLift FleetIQ. For example, your
game servers, which are running on Amazon EC2 instances, need to be able to report health status.
Include this role in an IAM instance profile with your Amazon EC2 launch template when creating
a GameLift FleetIQ game server group.
Use the AWS CLI to create a role for Amazon EC2, attach a custom policy with the necessary
permissions, and attach the role to an instance profile. For more information, see Creating a Role for an AWS Service.
- AWS CLI
-
These steps describe how to create a service role with custom GameLift permissions
for Amazon EC2 using the AWS CLI.
-
Create a trust policy file (example:
FleetIQtrustpolicyEC2.json
) with the following JSON syntax.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
-
Create a new IAM role with iam create-role and associate it with the trust policy JSON file that
you just created.
Windows:
AWS iam create-role --role-name FleetIQ-role-for-EC2 --assume-role-policy-document file://C:\policies\FleetIQtrustpolicyEC2.json
Linux:
AWS iam create-role --role-name FleetIQ-role-for-EC2 --assume-role-policy-document file://policies/FleetIQtrustpolicyEC2.json
When the request is successful, the response includes the properties of the
newly created role. Take note of the ARN value. You will need this information
when setting up your Amazon EC2 launch template.
-
Create a permissions policy file (example:
FleetIQpermissionsEC2.json
) with the following JSON syntax.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "gamelift:*",
"Resource": "*"
}
]
}
-
Use iam
put-role-policy to attach the permissions policy JSON file, which you
just created, to the new role.
Windows:
AWS iam put-role-policy --role-name FleetIQ-role-for-EC2 --policy-name FleetIQ-permissions-for-EC2 --policy-document file://C:\policies\FleetIQpermissionsEC2.json
Linux:
AWS iam put-role-policy --role-name FleetIQ-role-for-EC2 --policy-name FleetIQ-permissions-for-EC2 --policy-document file://policies/FleetIQpermissionsEC2.json
To verify that the permissions policy is attached, call iam
list-role-policies with the new role's name.
Create an instance profile with iam create-instance-profile with the new role for use
with Amazon EC2. For more information, see
Managing Instance Profiles.
AWS iam create-instance-profile --instance-profile-name FleetIQ-role-for-EC2
When the request is successful, the response includes the properties of the
newly created instance profile.
-
Use iam
add-role-to-instance-profile to attach the role to the instance profile.
AWS iam add-role-to-instance-profile --role-name FleetIQ-role-for-EC2 --instance-profile-name FleetIQ-role-for-EC2
The role and profile is now ready to be used with an Amazon EC2 launch template.