Create and use new roles for each stage Use existing roles for each stage Learn more

GameSparks stage roles

To perform core functions, your GameSparks game uses AWS Identity and Access Management (IAM) stage roles (one for each stage). These functions include deploying your configuration onto a stage and writing logs in Amazon CloudWatch. You can also modify stage roles to enable the use of Amazon DynamoDB and AWS Lambda from GameSparks.

When you create a game, you choose how each stage is assigned an IAM role.

Create and use new roles for each stage

To use this option, you must be signed into the GameSparks console as a user or role that has the following permissions: iam:CreateRole, iam:CreatePolicy, and iam:AttachRolePolicy.

Note

In general, we recommend this option, especially for new customers, to ensure that the IAM roles have the permissions that GameSparks needs.

Use existing roles for each stage

To use this option, you must be signed into the console as an IAM user or role that has the iam:ListRoles permission.

If you choose this option, the roles that you provide should have an Amazon Resource Name (ARN) that looks like arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/GameDeployment. The roles must have an attached policy with the following permissions:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ContainerPutLogEvent",
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents",
                "logs:CreateLogStream",
                "logs:CreateLogGroup"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:012345678912:log-group:/aws/gamesparks/*"
            ]
        },
        {
            "Sid": "ContainerInvokeBackend",
            "Effect": "Allow",
            "Action": [
                "gamesparks:InvokeBackend"
            ],
            "Resource": [
                "arn:aws:gamesparks:us-east-1:012345678912:game/GameName/stage/Dev"
            ]
        }
    ]
}

Note

In the preceding policy, replace:

012345678912 with your AWS account number.
GameName with the name of your game.

The gamesparks:InvokeBackend action is what allows the stage to perform extension actions, such as sending messages and working with the PlayerState, DynamoDB, and Lambda extensions.

You must also establish a trust relationship between GameSparks and your IAM stage roles. To add the trust relationship:

In the navigation pane of the IAM console, choose Roles. The console displays the roles for your account.
On the Roles page, choose the name of an IAM role.
On your role’s details page, choose the Trust relationships tab.
Choose Edit trust policy.

On the Edit trust policy page, in the JSON policy editor, paste the following policy:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "gamesparks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Choose Update policy.

Learn more

To learn more about using:

IAM policies for Amazon DynamoDB, see Using Amazon DynamoDB tables to store global data.
IAM policies for Lambda, see Using Lambda functions in your game.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

How GameSparks works with IAM

Identity-based policy examples for GameSparks