GameSparks stage roles - Amazon GameSparks

Amazon GameSparks is currently in preview. Changes might be made to this service and to this documentation. We don’t recommend using this service for production workloads.

GameSparks stage roles

To perform core functions, your GameSparks game uses AWS Identity and Access Management (IAM) stage roles (one for each stage). These functions include deploying your configuration onto a stage and writing logs in Amazon CloudWatch. You can also modify stage roles to enable the use of Amazon DynamoDB and AWS Lambda from GameSparks.

When you create a game, you choose how each stage is assigned an IAM role.

Create and use new roles for each stage

To use this option, you must be signed into the GameSparks console as a user or role that has the following permissions: iam:CreateRole, iam:CreatePolicy, and iam:AttachRolePolicy.


In general, we recommend this option, especially for new customers, to ensure that the IAM roles have the permissions that GameSparks needs.

Use existing roles for each stage

To use this option, you must be signed into the console as an IAM user or role that has the iam:ListRoles permission.

If you choose this option, the roles that you provide should have an Amazon Resource Name (ARN) that looks like arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/GameDeployment. The roles must have an attached policy with the following permissions:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ContainerPutLogEvent", "Effect": "Allow", "Action": [ "logs:PutLogEvents", "logs:CreateLogStream", "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:us-east-1:012345678912:log-group:/aws/gamesparks/*" ] }, { "Sid": "ContainerInvokeBackend", "Effect": "Allow", "Action": [ "gamesparks:InvokeBackend" ], "Resource": [ "arn:aws:gamesparks:us-east-1:012345678912:game/GameName/stage/Dev" ] } ] }

In the preceding policy, replace:

  • 012345678912 with your AWS account number.

  • GameName with the name of your game.

The gamesparks:InvokeBackend action is what allows the stage to perform extension actions, such as sending messages and working with the PlayerState, DynamoDB, and Lambda extensions.

You must also establish a trust relationship between GameSparks and your IAM stage roles. To add the trust relationship:

  1. In the navigation pane of the IAM console, choose Roles. The console displays the roles for your account.

  2. On the Roles page, choose the name of an IAM role.

  3. On your role’s details page, choose the Trust relationships tab.

  4. Choose Edit trust policy.

  5. On the Edit trust policy page, in the JSON policy editor, paste the following policy:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole" } ] }
  6. Choose Update policy.

Learn more

To learn more about using: