# Set up your AWS account for Amazon GameLift Servers FleetIQ Set up your AWS account To use Amazon GameLift Servers FleetIQ with Amazon EC2, Auto Scaling, and other AWS services, you must set up an AWS account with required access permissions. Complete the following tasks: + If you don't already have an AWS account to use with Amazon GameLift Servers FleetIQ, create a new one. See [Create an AWS account](gsg-iam-permissions-account.md). + Set Amazon GameLift Servers FleetIQ-specific permissions for users and user groups. See [Manage user permissions for Amazon GameLift Servers FleetIQ](gsg-iam-permissions-users.md). + Create IAM roles to allow Amazon GameLift Servers and your Amazon EC2 resources to interact. See [Create IAM roles for cross-service interaction](gsg-iam-permissions-roles.md). # Create an AWS account Create and set up an AWS account to use with Amazon GameLift Servers FleetIQ. There's no charge to create an AWS account. **Topics** + [ ## Sign up for an AWS account ](#sign-up-for-aws) + [ ## Create a user with administrative access ](#create-an-admin) ## Sign up for an AWS account If you do not have an AWS account, complete the following steps to create one. **To sign up for an AWS account** 1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup). 1. Follow the online instructions. Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad. When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks). AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**. ## Create a user with administrative access After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks. **Secure your AWS account root user** 1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password. For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*. 1. Turn on multi-factor authentication (MFA) for your root user. For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*. **Create a user with administrative access** 1. Enable IAM Identity Center. For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*. 1. In IAM Identity Center, grant administrative access to a user. For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*. **Sign in as the user with administrative access** + To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user. For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*. **Assign access to additional users** 1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions. For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*. 1. Assign users to a group, and then assign single sign-on access to the group. For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*. # Manage user permissions for Amazon GameLift Servers FleetIQ Create additional users or extend Amazon GameLift Servers FleetIQ access permissions to existing users as needed. Users who work with Amazon GameLift Servers FleetIQ game server groups and the related Amazon EC2 and Auto Scaling services must have permissions to access these services. As a best practice ([ Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)), apply least-privilege permissions for all users. You can set permissions for individual users or user groups and limit user access by service, action, or resource. Use following instructions to set user permissions based on how you manage the users in your AWS account. If you use IAM users, as a best practice always attach permissions to roles or user groups, not individual users. + [Permissions syntax for users](gsg-iam-permissions-users-policy.md) + [Additional permissions syntax for use with CloudFormation](gsg-iam-permissions-users-policycfn.md) To provide access, add permissions to your users, groups, or roles: + Users and groups in AWS IAM Identity Center: Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*. + Users managed in IAM through an identity provider: Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*. + IAM users: + Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*. + (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*. # Reference: Amazon GameLift Servers FleetIQ\$1policy The following is an example of the Amazon GameLift Servers FleetIQ\$1policy for your reference: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "iam:PassRole" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "gamelift.amazonaws.com" } } }, { "Action": [ "iam:CreateServiceLinkedRole" ], "Effect": "Allow", "Resource": "arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" }, { "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateOrUpdateTags", "autoscaling:DescribeAutoScalingGroups", "autoscaling:ExitStandby", "autoscaling:PutLifecycleHook", "autoscaling:PutScalingPolicy", "autoscaling:ResumeProcesses", "autoscaling:SetInstanceProtection", "autoscaling:UpdateAutoScalingGroup", "autoscaling:DeleteAutoScalingGroup" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ec2:DescribeAvailabilityZones", "ec2:DescribeSubnets", "ec2:RunInstances", "ec2:CreateTags" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "events:PutRule", "events:PutTargets" ], "Effect": "Allow", "Resource": "*" } ] } ``` ------ # Additional permissions for CloudFormation If you use CloudFormationto manage your game hosting resources, add the CloudFormation permissions to the policy syntax. ``` { "Action": [ "autoscaling:DescribeLifecycleHooks", "autoscaling:DescribeNotificationConfigurations", "ec2:DescribeLaunchTemplateVersions" ] "Effect": "Allow", "Resource": "*" } ``` # Set up programmatic access for users Users need programmatic access if they want to interact with AWS outside of the AWS Management Console. The way to grant programmatic access depends on the type of user that's accessing AWS. To grant users programmatic access, choose one of the following options. **** | Which user needs programmatic access? | To | By | | --- | --- | --- | | IAM | (Recommended) Use console credentials as temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/gameliftservers/latest/fleetiqguide/gsg-iam-permissions-users-access-keys.html) | | Workforce identity (Users managed in IAM Identity Center) | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/gameliftservers/latest/fleetiqguide/gsg-iam-permissions-users-access-keys.html) | | IAM | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions in [Using temporary credentials with AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) in the IAM User Guide. | | IAM | (Not recommended)Use long-term credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/gameliftservers/latest/fleetiqguide/gsg-iam-permissions-users-access-keys.html) | If you use access keys, see [ Best practices for managing AWS access keys](https://docs.aws.amazon.com/accounts/latest/reference/credentials-access-keys-best-practices.html). # Create IAM roles for cross-service interaction In order for Amazon GameLift Servers FleetIQ to work with your Amazon EC2 instances and Auto Scaling groups, you must allow the services to interact with each other. This is done by creating IAM roles in your AWS account and assigning a set of limited permissions. Each role also sspecifies which services can assume the role. Set up the following roles: + [Create a role for Amazon GameLift Servers FleetIQ](gsg-iam-permissions-roles-gamelift.md) to update your Amazon EC2 resources. + [Create a role for Amazon EC2](gsg-iam-permissions-roles-ec2.md) resources to communicate with Amazon GameLift Servers FleetIQ. # Create a role for Amazon GameLift Servers FleetIQ This role allows Amazon GameLift Servers FleetIQ to access and modify your Amazon EC2 instances, Auto Scaling groups, and lifecycle hooks as part of its Spot balancing and automatic scaling activities. Use the IAM console or the AWS CLI to create a role for Amazon GameLift Servers FleetIQ and attach a managed policy with the necessary permissions. For more information on IAM roles and managed policies, see [Creating a Role for an AWS Service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html#roles-creatingrole-service-console) and [AWS Managed Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies). ------ #### [ Console ] These steps describe how to create a service role with a managed policy for Amazon GameLift Servers using the AWS Management Console. 1. Open the [IAM console](https://console.aws.amazon.com/iam) and choose **Roles: Create role**. 1. For **Select type of trusted entity**, choose **AWS service**. 1. For **Choose a use case**, choose **GameLift** from the list of services. Under **Select your use case**, the appropriate Amazon GameLift Servers use case is automatically selected. To continue, choose **Next: Permissions**. 1. The list **Attached permissions policies** should contain one policy: **GameLiftGameServerGroupPolicy **. If this policy is not shown, check the filters or use the search feature to add it to the role. You can view a policy's syntax (choose the ▶ icon to expand), but you cannot change the syntax. When the role is created, you can update the role and attach additional policies to add or remove permissions. For **Set permissions boundary**, keep the default setting (Create role without a permissions boundary). This is an advanced setting that is not required. To continue, choose **Next: Tags**. 1. **Add tags** is an optional setting for resource management. For example, you might want to add tags to this role to track project-specific resource usage by role. To see more information on tagging for IAM roles and other uses, follow the **Learn more** link. To continue, choose **Next: Review**. 1. On the **Review** page, make the following changes as needed: + Enter a role name and optionally update the description. + Verify the following: + **Trusted entities** is set to "AWS service: gamelift.amazonaws.com". This value must be updated once the role has been created. + **Policies** includes GameLiftGameServerGroupPolicy. To complete the task, choose **Create role**. 1. Once the new role has been created, you must manually update the role's trust relationship. Go to the **Roles** page and choose the new role name to open its summary page. Open the **Trust relationships** tab and choose **Edit trust relationship**. In the policy document, update the `Service` property to include `autoscaling.amazonaws.com`. The revised `Service` property should look like this: ``` "Service": [ "gamelift.amazonaws.com", "autoscaling.amazonaws.com" ] ``` To save your change, choose **Update Trust Policy**. The role is now ready. Take note of the role's ARN value, which is displayed at the top of the role's summary page. You will need this information when setting up Amazon GameLift Servers FleetIQ game server groups. ------ #### [ AWS CLI ] These steps describe how to create a service role with a managed policy for Amazon GameLift Servers using the AWS CLI. 1. Create a trust policy file (example: `FleetIQtrustpolicyGameLift.json`) with the following JSON syntax. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "gamelift.amazonaws.com", "autoscaling.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } ``` ------ 1. Create a new IAM role with [iam create-role](https://docs.aws.amazon.com/cli/latest/reference/iam/create-role.html) and associate it with the trust policy JSON file that you just created. Windows: ``` AWS iam create-role --role-name FleetIQ-role-for-GameLift --assume-role-policy-document file://C:\policies\FleetIQtrustpolicyGameLift.json ``` Linux: ``` AWS iam create-role --role-name FleetIQ-role-for-GameLift --assume-role-policy-document file://policies/FleetIQtrustpolicyGameLift.json ``` When the request is successful, the response includes the properties of the newly created role. Take note of the ARN value. You will need this information when setting up Amazon GameLift Servers FleetIQ game server groups. 1. Use [iam attach-role-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/attach-role-policy.html) to attach the managed permissions policy "GameLiftGameServerGroupPolicy". ``` AWS iam attach-role-policy --role-name FleetIQ-role-for-GameLift --policy-arn arn:aws:iam::aws:policy/GameLiftGameServerGroupPolicy ``` To verify that the permissions policy is attached, call [iam list-attached-role-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-attached-role-policies.html) with the new role's name. The role is now ready. You can verify that the IAM role is configured correctly by calling [gamelift create-game-server-group](https://docs.aws.amazon.com/cli/latest/reference/gamelift/create-game-server-group.html) with the `role-arn` property set to the new role's ARN value. When the `GameServerGroup` enters ACTIVE state, this indicates that Amazon GameLift Servers FleetIQ is able to modify Amazon EC2 and Auto Scaling resources in your account, as expected. ------ # Create a role for Amazon EC2 This role enables your Amazon EC2 resources to communicate with Amazon GameLift Servers FleetIQ. For example, your game servers, which are running on Amazon EC2 instances, need to be able to report health status. Include this role in an IAM instance profile with your Amazon EC2 launch template when creating a Amazon GameLift Servers FleetIQ game server group. Use the AWS CLI to create a role for Amazon EC2, attach a custom policy with the necessary permissions, and attach the role to an instance profile. For more information, see [Creating a Role for an AWS Service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html#roles-creatingrole-service-console). ------ #### [ AWS CLI ] These steps describe how to create a service role with custom Amazon GameLift Servers permissions for Amazon EC2 using the AWS CLI. 1. Create a trust policy file (example: `FleetIQtrustpolicyEC2.json`) with the following JSON syntax. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` ------ 1. Create a new IAM role with [iam create-role](https://docs.aws.amazon.com/cli/latest/reference/iam/create-role.html) and associate it with the trust policy JSON file that you just created. Windows: ``` AWS iam create-role --role-name FleetIQ-role-for-EC2 --assume-role-policy-document file://C:\policies\FleetIQtrustpolicyEC2.json ``` Linux: ``` AWS iam create-role --role-name FleetIQ-role-for-EC2 --assume-role-policy-document file://policies/FleetIQtrustpolicyEC2.json ``` When the request is successful, the response includes the properties of the newly created role. Take note of the ARN value. You will need this information when setting up your Amazon EC2 launch template. 1. Create a permissions policy file (example: `FleetIQpermissionsEC2.json`) with the following JSON syntax. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "gamelift:*", "Resource": "*" } ] } ``` ------ 1. Use [iam put-role-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/put-role-policy.html) to attach the permissions policy JSON file, which you just created, to the new role. Windows: ``` AWS iam put-role-policy --role-name FleetIQ-role-for-EC2 --policy-name FleetIQ-permissions-for-EC2 --policy-document file://C:\policies\FleetIQpermissionsEC2.json ``` Linux: ``` AWS iam put-role-policy --role-name FleetIQ-role-for-EC2 --policy-name FleetIQ-permissions-for-EC2 --policy-document file://policies/FleetIQpermissionsEC2.json ``` To verify that the permissions policy is attached, call [iam list-role-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-role-policies.html) with the new role's name. 1. Create an instance profile with [iam create-instance-profile](https://docs.aws.amazon.com/cli/latest/reference/iam/create-instance-profile.html) with the new role for use with Amazon EC2. For more information, see [ Managing Instance Profiles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html). ``` AWS iam create-instance-profile --instance-profile-name FleetIQ-role-for-EC2 ``` When the request is successful, the response includes the properties of the newly created instance profile. 1. Use [iam add-role-to-instance-profile](https://docs.aws.amazon.com/cli/latest/reference/iam/put-role-policy.html) to attach the role to the instance profile. ``` AWS iam add-role-to-instance-profile --role-name FleetIQ-role-for-EC2 --instance-profile-name FleetIQ-role-for-EC2 ``` The role and profile is now ready to be used with an Amazon EC2 launch template. ------