# Set up an AWS user account
**Tip**
Use these topics to get help with these tasks:
Get a new AWS account for use with Amazon GameLift Servers.
Create a user or group with permissions to work with Amazon GameLift Servers resources.
Set up security credentials (you need these to use the AWS CLI tools and the Amazon GameLift Servers plugins for Unreal and Unity)
As with all AWS services, you need an AWS account to use the Amazon GameLift Servers service and tools. An AWS account serves two primary functions: (1) it gives you a container for all the AWS resources that you create with the account; and (2) it lets you manage security for your AWS resources, including setting up user authentication and controlling user access permissions. There's no cost for creating an AWS account.
**Explore Amazon GameLift Servers with or without an AWS account**
You **don't** need an AWS account to:
+ Discover AWS tools for building, running, and growing game experiences at [AWS for Games](https://aws.amazon.com/gametech/). Read the [Blog](https://aws.amazon.com/blogs/gametech/) and browse the [Solutions for Games library](https://aws.amazon.com/solutions/games).
+ Learn more about Amazon GameLift Servers in the [product overview, FAQs, and resources](https://aws.amazon.com/gamelift/). **Ask AWS** to find answers to your product questions. (Try this one: "Looking for low-cost options to host my multiplayer game".)
+ For a deeper dive, find out what makes Amazon GameLift Servers work in the [technical documentation](https://docs.aws.amazon.com/gamelift/), including developer guides for hosting and matchmaking, and the service API reference guide.
+ Check out information on [Amazon GameLift Servers pricing](https://aws.amazon.com/gamelift/servers/pricing/) and cost optimization techniques. Try the [Pricing Calculator](https://calculator.aws/#/createCalculator/GameLift) to see how hosting costs are calculated based on peak concurrent player usage (CCU).
+ Get downloads and see code repositories for Amazon GameLift Servers SDKs, plugins, and toolkits. See [Amazon GameLift Servers Getting started](https://aws.amazon.com/gamelift/servers/getting-started/). (You need an AWS account to use them.)
You **do** need an AWS account to:
+ Follow onboarding workflows with the Amazon GameLift Servers plugins for Unreal and Unity, or use the game server wrapper.
+ Create and manage AWS resources using the AWS Management Console.
+ Create and manage AWS resources using the AWS Command Line Interface.
+ Use Amazon Q with the In the Amazon GameLift Servers technical documentation to find answers, guidance, and recommendations.
**Topics**
+ [
## Sign up for an AWS account
](#sign-up-for-aws)
+ [
## Create a user with administrative access
](#create-an-admin)
+ [
## Set user permissions for Amazon GameLift Servers
](#getting-started-create-iam-user)
+ [
## Set up programmatic access for users
](#getting-started-iam-user-access-keys)
+ [
## Set up programmatic access for your game
](#getting-started-iam-player-user)
+ [
# IAM permission examples for Amazon GameLift Servers
](gamelift-iam-policy-examples.md)
+ [
# Set up an IAM service role for Amazon GameLift Servers
](setting-up-role.md)
## Sign up for an AWS account
If you do not have an AWS account, complete the following steps to create one.
**To sign up for an AWS account**
1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup).
1. Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.
When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks).
AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**.
## Create a user with administrative access
After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.
**Secure your AWS account root user**
1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.
For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*.
1. Turn on multi-factor authentication (MFA) for your root user.
For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*.
**Create a user with administrative access**
1. Enable IAM Identity Center.
For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*.
1. In IAM Identity Center, grant administrative access to a user.
For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*.
**Sign in as the user with administrative access**
+ To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.
For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.
**Assign access to additional users**
1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.
For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*.
1. Assign users to a group, and then assign single sign-on access to the group.
For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*.
## Set user permissions for Amazon GameLift Servers
Create additional users or extend access permissions to existing users as needed for your Amazon GameLift Servers resources. As a best practice ([ Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)), apply least-privilege permissions for all users. For guidance on permissions syntax, see [IAM permission examples for Amazon GameLift Servers](gamelift-iam-policy-examples.md).
Use following instructions to set user permissions based on how you manage the users in your AWS account.
To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
When working with IAM users, as a best practice always attach permissions to roles or user groups, not individual users.
## Set up programmatic access for users
Users need programmatic access if they want to interact with AWS outside of the AWS Management Console. The way to grant programmatic access depends on the type of user that's accessing AWS.
To grant users programmatic access, choose one of the following options.
****
| Which user needs programmatic access? | To | By |
| --- | --- | --- |
| IAM | (Recommended) Use console credentials as temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/gameliftservers/latest/developerguide/setting-up-aws-login.html) |
| Workforce identity (Users managed in IAM Identity Center) | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/gameliftservers/latest/developerguide/setting-up-aws-login.html) |
| IAM | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions in [Using temporary credentials with AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) in the IAM User Guide. |
| IAM | (Not recommended)Use long-term credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/gameliftservers/latest/developerguide/setting-up-aws-login.html) |
If you use access keys, see [Best practices for managing AWS access keys](https://docs.aws.amazon.com/accounts/latest/reference/credentials-access-keys-best-practices.html).
## Set up programmatic access for your game
Most games use backend services to communicate with Amazon GameLift Servers using the AWS SDKs. Use a backend service (acting for a game client) to request game sessions, place players into games, and other tasks. These services need programmatic access and security credentials to authenticate calls to the service API for Amazon GameLift Servers.
For Amazon GameLift Servers, you manage this access by creating a player user in AWS Identity and Access Management (IAM). Manage player user permissions through one of the following options:
+ Create an IAM role with player user permissions and allow the player user to assume the role when needed. The backend service must include code to assume this role before making requests to Amazon GameLift Servers. In accordance with security best practices, roles provide limited, temporary access. You can use roles for workloads running on AWS resources ([IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)) or outside of AWS ([IAM Roles Anywhere](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_non-aws.html)).
+ Create an IAM user group with player user permissions and add your player user to the group. This option gives your player user long-term credentials, which the backend service must store and use when communicating with Amazon GameLift Servers.
For permissions policy syntax, see [Player user permission examples](gamelift-iam-policy-examples.md#iam-policy-admin-game-dev-example).
For more information on managing permissions for use by a workload, see [IAM Identities: Temporary credentials in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html#id_temp-creds).
# IAM permission examples for Amazon GameLift Servers
Use the syntax in these examples to set AWS Identity and Access Management (IAM) permissions for users that need access to Amazon GameLift Servers resources. For more information on managing user permissions, see [Set user permissions for Amazon GameLift Servers](setting-up-aws-login.md#getting-started-create-iam-user). When managing permissions for users outside of the IAM Identity Center, as a best practice always attach permissions to IAM roles or user groups, not individual users.
If you're using Amazon GameLift Servers FleetIQ as a standalone solution, see [Set up your AWS account for Amazon GameLift Servers FleetIQ](https://docs.aws.amazon.com/gameliftservers/latest/fleetiqguide/gsg-iam-permissions.html).
## Administration permission examples
These examples give a hosting administrator or developer targeted access to manage Amazon GameLift Servers game hosting resources.
**Example Syntax for Amazon GameLift Servers full access resource permissions**
The following example extends full access to all Amazon GameLift Servers resources.
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "gamelift:*",
"Resource": "*"
}
}
```
**Example Syntax for Amazon GameLift Servers resource permissions with support for Regions that aren't enabled by default**
The following example extends access to all Amazon GameLift Servers resources and AWS Regions that aren't enabled by default. For more information about Regions that aren't enabled by default and how to enable them, see [Managing AWS Regions](https://docs.aws.amazon.com/general/latest/gr/rande-manage.html) in the *AWS General Reference*.
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"ec2:DescribeRegions",
"gamelift:*"
],
"Resource": "*"
}
}
```
**Example Syntax for Amazon GameLift Servers resource to access container images in Amazon ECR**
The following example extends access to Amazon Elastic Container Registry (Amazon ECR) actions that Amazon GameLift Servers users need when working with managed container fleets.
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "*"
}
}
```
**Example Syntax for Amazon GameLift Servers resource and `PassRole` permissions**
The following example extends access to all Amazon GameLift Servers resources and allows a user to pass an IAM service role to Amazon GameLift Servers. A service role gives Amazon GameLift Servers limited ability to access other resources and services on your behalf, as is described in [Set up an IAM service role for Amazon GameLift Servers](setting-up-role.md). For example, when responding to a `CreateBuild` request, Amazon GameLift Servers needs access to your build files in an Amazon S3 bucket. For more information about the `PassRole` action, see [IAM: Pass an IAM role to a specific AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam-passrole-service.html) in the *IAM User Guide*.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "gamelift:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "gamelift.amazonaws.com"
}
}
}
]
}
```
## Player user permission examples
These examples allow a backend service or other entity to make API calls to the Amazon GameLift Servers API. They cover the common scenarios for managing game sessions, player sessions, and matchmaking. For more details, see [Set up programmatic access for your game](setting-up-aws-login.md#getting-started-iam-player-user).
**Example Syntax for game session placement permissions**
The following example extends access to the Amazon GameLift Servers APIs that use game session placement queues to create game sessions and manage player sessions.
****
```
{
"Version":"2012-10-17",
"Statement": {
"Sid": "PlayerPermissionsForGameSessionPlacements",
"Effect": "Allow",
"Action": [
"gamelift:StartGameSessionPlacement",
"gamelift:DescribeGameSessionPlacement",
"gamelift:StopGameSessionPlacement",
"gamelift:CreatePlayerSession",
"gamelift:CreatePlayerSessions",
"gamelift:DescribeGameSessions"
],
"Resource": "*"
}
}
```
**Example Syntax for matchmaking permissions**
The following example extends access to the Amazon GameLift Servers APIs that manage FlexMatch matchmaking activities. FlexMatch matches players for new or existing game sessions and initiates game session placement for games hosted on Amazon GameLift Servers. For more information about FlexMatch, see [What is Amazon GameLift Servers FlexMatch?](https://docs.aws.amazon.com/gameliftservers/latest/flexmatchguide/match-intro.html)
****
```
{
"Version":"2012-10-17",
"Statement": {
"Sid": "PlayerPermissionsForGameSessionMatchmaking",
"Effect": "Allow",
"Action": [
"gamelift:StartMatchmaking",
"gamelift:DescribeMatchmaking",
"gamelift:StopMatchmaking",
"gamelift:AcceptMatch",
"gamelift:StartMatchBackfill",
"gamelift:DescribeGameSessions"
],
"Resource": "*"
}
}
```
**Example Syntax for manual game session placement permissions**
The following example extends access to the Amazon GameLift Servers APIs that manually create game sessions and player sessions on specified fleets. This scenario supports games that don't use placement queues, such as games that let players join by choosing from a list of available game sessions (the "list-and-pick" method).
****
```
{
"Version":"2012-10-17",
"Statement": {
"Sid": "PlayerPermissionsForManualGameSessions",
"Effect": "Allow",
"Action": [
"gamelift:CreateGameSession",
"gamelift:DescribeGameSessions",
"gamelift:SearchGameSessions",
"gamelift:CreatePlayerSession",
"gamelift:CreatePlayerSessions",
"gamelift:DescribePlayerSessions"
],
"Resource": "*"
}
}
```
# Set up an IAM service role for Amazon GameLift Servers
Some Amazon GameLift Servers features require you to extend limited access to other AWS resources that you own. You can do this by creating an AWS Identity and Access Management (IAM) role. An [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user in that it is an AWS identity with permissions policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.
This topic covers how to create a role that you can use with your Amazon GameLift Servers managed fleets. If you use Amazon GameLift Servers FleetIQ to optimize game hosting on your Amazon Elastic Compute Cloud (Amazon EC2) instances, see [ Set up your AWS account for Amazon GameLift Servers FleetIQ](https://docs.aws.amazon.com/gameliftservers/latest/fleetiqguide/gsg-iam-permissions.html).
In the following procedure, create a role with a custom permissions policy and a trust policy that allows Amazon GameLift Servers to assume the role.
## Create an IAM service role for an Amazon GameLift Servers managed EC2 fleet
**Step 1: Create a permissions policy.**
Use the instructions and examples on this page to create a custom permissions policy for the type of Amazon GameLift Servers fleet you're working with.
**To use the JSON policy editor to create a policy**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane on the left, choose **Policies**.
If this is your first time choosing **Policies**, the **Welcome to Managed Policies** page appears. Choose **Get Started**.
1. At the top of the page, choose **Create policy**.
1. In the **Policy editor** section, choose the **JSON** option.
1. Enter or paste a JSON policy document. For details about the IAM policy language, see [IAM JSON policy reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html).
1. Resolve any security warnings, errors, or general warnings generated during [policy validation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_policy-validator.html), and then choose **Next**.
**Note**
You can switch between the **Visual** and **JSON** editor options anytime. However, if you make changes or choose **Next** in the **Visual** editor, IAM might restructure your policy to optimize it for the visual editor. For more information, see [Policy restructuring](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_policies.html#troubleshoot_viseditor-restructure) in the *IAM User Guide*.
1. (Optional) When you create or edit a policy in the AWS Management Console, you can generate a JSON or YAML policy template that you can use in CloudFormation templates.
To do this, in the **Policy editor** choose **Actions**, and then choose **Generate CloudFormation template**. To learn more about CloudFormation, see [AWS Identity and Access Management resource type reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_IAM.html) in the *AWS CloudFormation User Guide*.
1. When you are finished adding permissions to the policy, choose **Next**.
1. On the **Review and create** page, enter a **Policy name** and a **Description** (optional) for the policy that you are creating. Review **Permissions defined in this policy** to see the permissions that are granted by your policy.
1. (Optional) Add metadata to the policy by attaching tags as key-value pairs. For more information about using tags in IAM, see [Tags for AWS Identity and Access Management resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*.
1. Choose **Create policy** to save your new policy.
**Step 2: Create a role that Amazon GameLift Servers can assume.**
**To create an IAM role**
1. In the navigation pane of the IAM console, choose **Roles**, and then choose **Create role**.
1. On the **Select trusted entity** page, choose the **Custom trust policy** option. This selection opens the **Custom trust policy** editor.
1. Replace the default JSON syntax with the following, and then choose **Next** to continue.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "gamelift.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
1. On the **Add permissions** page, locate and select the permissions policy that you created in Step 1. Choose **Next** to continue.
1. On the **Name, review and create** page, enter a **Role name** and a **Description** (optional) for the role that you are creating. Review the **Trust entities** and **Added permissions**.
1. Choose **Create role** to save your new role.
## Create an IAM role for Amazon GameLift Servers managed containers
If you're using Amazon GameLift Servers managed containers, you need to create an IAM service role for use with a container fleet. This role grants limited permissions that Amazon GameLift Servers needs to manage your container fleet resources and take actions on your behalf.
**To create an IAM role for a container fleet**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane of the IAM console, choose **Roles**, and then choose **Create role**.
1. On **Select trusted entity** page, choose **AWS service** and select the **Use case** "GameLift". Choose **Next**
1. On **Add permissions**, choose the managed policy `GameLiftContainerFleetPolicy`. Choose **Next**. See [AWS managed policies for Amazon GameLift Servers](security-iam-awsmanpol.md)for more information about this policy.
1. On **Name, review, and create**, enter a role name and choose **Create role** to save the new role.
## Permission policy syntax
+ **Permissions for Amazon GameLift Servers to assume the service role**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "gamelift.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
+ **Permissions to access AWS Regions that aren't enabled by default**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"gamelift.amazonaws.com",
"gamelift.ap-east-1.amazonaws.com",
"gamelift.me-south-1.amazonaws.com",
"gamelift.af-south-1.amazonaws.com",
"gamelift.eu-south-1.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
```
------