Actions, resources, and condition keys for Amazon GameLift
Amazon GameLift (service prefix: gamelift) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon GameLift
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AcceptMatch | Grants permission to register player acceptance or rejection of a proposed FlexMatch match | Write | |||
| ClaimGameServer | Grants permission to locate and reserve a game server to host a new game session | Write | |||
| CreateAlias | Grants permission to define a new alias for a fleet | Write |
gamelift:TagResource |
||
| CreateBuild | Grants permission to create a new game build using files stored in an Amazon S3 bucket | Write |
gamelift:TagResource iam:PassRole s3:GetObject |
||
| CreateContainerFleet | Grants permission to create a new container fleet of computing resources to run your game servers | Write |
ec2:DescribeAvailabilityZones ec2:DescribeRegions gamelift:TagResource iam:PassRole |
||
| CreateContainerGroupDefinition | Grants permission to create a new container group definition using images stored in an Amazon ECR repository | Write |
ecr:BatchGetImage ecr:DescribeImages ecr:GetAuthorizationToken ecr:GetDownloadUrlForLayer gamelift:TagResource |
||
| CreateFleet | Grants permission to create a new fleet of computing resources to run your game servers | Write |
ec2:DescribeAvailabilityZones ec2:DescribeRegions gamelift:TagResource iam:PassRole |
||
| CreateFleetLocations | Grants permission to specify additional locations for a fleet | Write |
ec2:DescribeAvailabilityZones ec2:DescribeRegions |
||
| CreateGameServerGroup | Grants permission to create a new game server group, set up a corresponding Auto Scaling group, and launche instances to host game servers | Write |
autoscaling:CreateAutoScalingGroup autoscaling:DescribeAutoScalingGroups autoscaling:PutLifecycleHook autoscaling:PutScalingPolicy ec2:DescribeAvailabilityZones ec2:DescribeSubnets events:PutRule events:PutTargets gamelift:TagResource iam:PassRole |
||
| CreateGameSession | Grants permission to start a new game session on a specified fleet | Write | |||
| CreateGameSessionQueue | Grants permission to set up a new queue for processing game session placement requests | Write |
gamelift:TagResource |
||
| CreateLocation | Grants permission to define a new location for a fleet | Write |
gamelift:TagResource |
||
| CreateMatchmakingConfiguration | Grants permission to create a new FlexMatch matchmaker | Write |
gamelift:TagResource |
||
| CreateMatchmakingRuleSet | Grants permission to create a new matchmaking rule set for FlexMatch | Write |
gamelift:TagResource |
||
| CreatePlayerSession | Grants permission to reserve an available game session slot for a player | Write | |||
| CreatePlayerSessions | Grants permission to reserve available game session slots for multiple players | Write | |||
| CreateScript | Grants permission to create a new Realtime Servers script | Write |
gamelift:TagResource iam:PassRole s3:GetObject |
||
| CreateVpcPeeringAuthorization | Grants permission to allow GameLift to create or delete a peering connection between a GameLift fleet VPC and a VPC on another AWS account | Write |
ec2:AcceptVpcPeeringConnection ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:CreateRoute ec2:DeleteRoute ec2:DescribeRouteTables ec2:DescribeSecurityGroups ec2:RevokeSecurityGroupEgress ec2:RevokeSecurityGroupIngress |
||
| CreateVpcPeeringConnection | Grants permission to establish a peering connection between your GameLift fleet VPC and a VPC on another account | Write | |||
| DeleteAlias | Grants permission to delete an alias | Write | |||
| DeleteBuild | Grants permission to delete a game build | Write | |||
| DeleteContainerFleet | Grants permission to delete a container fleet | Write | |||
| DeleteContainerGroupDefinition | Grants permission to delete a container group definition | Write | |||
| DeleteFleet | Grants permission to delete an empty fleet | Write | |||
| DeleteFleetLocations | Grants permission to delete locations for a fleet | Write | |||
| DeleteGameServerGroup | Grants permission to permanently delete a game server group and terminate FleetIQ activity for the corresponding Auto Scaling group | Write |
autoscaling:DeleteAutoScalingGroup autoscaling:DescribeAutoScalingGroups autoscaling:ExitStandby autoscaling:ResumeProcesses autoscaling:SetInstanceProtection autoscaling:UpdateAutoScalingGroup |
||
| DeleteGameSessionQueue | Grants permission to delete an existing game session queue | Write | |||
| DeleteLocation | Grants permission to delete a location | Write | |||
| DeleteMatchmakingConfiguration | Grants permission to delete an existing FlexMatch matchmaker | Write | |||
| DeleteMatchmakingRuleSet | Grants permission to delete an existing FlexMatch matchmaking rule set | Write | |||
| DeleteScalingPolicy | Grants permission to delete a set of auto-scaling rules | Write | |||
| DeleteScript | Grants permission to delete a Realtime Servers script | Write | |||
| DeleteVpcPeeringAuthorization | Grants permission to cancel a VPC peering authorization | Write | |||
| DeleteVpcPeeringConnection | Grants permission to remove a peering connection between VPCs | Write | |||
| DeregisterCompute | Grants permission to deregister a compute against a fleet | Write | |||
| DeregisterGameServer | Grants permission to remove a game server from a game server group | Write | |||
| DescribeAlias | Grants permission to retrieve properties for an alias | Read | |||
| DescribeBuild | Grants permission to retrieve properties for a game build | Read | |||
| DescribeCompute | Grants permission to retrieve information for a compute in a fleet | Read | |||
| DescribeContainerFleet | Grants permission to retrieve the properties of an existing container fleet | Read | |||
| DescribeContainerGroupDefinition | Grants permission to retrieve the properties of an existing container group definition | Read | |||
| DescribeEC2InstanceLimits | Grants permission to retrieve the maximum allowed and current usage for EC2 instance types | Read | |||
| DescribeFleetAttributes | Grants permission to retrieve general properties, including status, for fleets | Read | |||
| DescribeFleetCapacity | Grants permission to retrieve the current capacity settings for managed fleets | Read | |||
| DescribeFleetDeployment | Grants permission to retrieve the properties of an existing fleet deployment | Read | |||
| DescribeFleetEvents | Grants permission to retrieve entries from a fleet's event log | Read | |||
| DescribeFleetLocationAttributes | Grants permission to retrieve general properties, including statuses, for a fleet's locations | Read | |||
| DescribeFleetLocationCapacity | Grants permission to retrieve the current capacity setting for a fleet's location | Read | |||
| DescribeFleetLocationUtilization | Grants permission to retrieve utilization statistics for fleet's location | Read | |||
| DescribeFleetPortSettings | Grants permission to retrieve the inbound connection permissions for a fleet | Read | |||
| DescribeFleetUtilization | Grants permission to retrieve utilization statistics for fleets | Read | |||
| DescribeGameServer | Grants permission to retrieve properties for a game server | Read | |||
| DescribeGameServerGroup | Grants permission to retrieve properties for a game server group | Read | |||
| DescribeGameServerInstances | Grants permission to retrieve the status of EC2 instances in a game server group | Read | |||
| DescribeGameSessionDetails | Grants permission to retrieve properties for game sessions in a fleet, including the protection policy | Read | |||
| DescribeGameSessionPlacement | Grants permission to retrieve details of a game session placement request | Read | |||
| DescribeGameSessionQueues | Grants permission to retrieve properties for game session queues | Read | |||
| DescribeGameSessions | Grants permission to retrieve properties for game sessions in a fleet | Read | |||
| DescribeInstances | Grants permission to retrieve information about instances in a managed fleet | Read | |||
| DescribeMatchmaking | Grants permission to retrieve details of matchmaking tickets | Read | |||
| DescribeMatchmakingConfigurations | Grants permission to retrieve properties for FlexMatch matchmakers | Read | |||
| DescribeMatchmakingRuleSets | Grants permission to retrieve properties for FlexMatch matchmaking rule sets | Read | |||
| DescribePlayerSessions | Grants permission to retrieve properties for player sessions in a game session | Read | |||
| DescribeRuntimeConfiguration | Grants permission to retrieve the current runtime configuration for a fleet | Read | |||
| DescribeScalingPolicies | Grants permission to retrieve all scaling policies that are applied to a fleet | Read | |||
| DescribeScript | Grants permission to retrieve properties for a Realtime Servers script | Read | |||
| DescribeVpcPeeringAuthorizations | Grants permission to retrieve valid VPC peering authorizations | Read | |||
| DescribeVpcPeeringConnections | Grants permission to retrieve details on active or pending VPC peering connections | Read | |||
| GetComputeAccess | Grants permission to retrieve credentials to remotely access a compute in a managed fleet | Read | |||
| GetComputeAuthToken | Grants permission to retrieve an authentication token that allows processes on a compute to send requests to the Amazon GameLift service | Read | |||
| GetGameSessionLogUrl | Grants permission to retrieve the location of stored logs for a game session | Read | |||
| GetInstanceAccess | Grants permission to request remote access to a specified fleet instance | Read | |||
| ListAliases | Grants permission to retrieve all aliases that are defined in the current Region | List | |||
| ListBuilds | Grants permission to retrieve all game build in the current Region | List | |||
| ListCompute | Grants permission to retrieve all compute resources in the current Region | List | |||
| ListContainerFleets | Grants permission to retrieve the properties of all existing container fleets in the current Region | List | |||
| ListContainerGroupDefinitionVersions | Grants permission to retrieve the properties of all versions of an existing container group definition | List | |||
| ListContainerGroupDefinitions | Grants permission to retrieve the properties of all existing container group definitions in the current Region | List | |||
| ListFleetDeployments | Grants permission to retrieve the properties of all existing fleet deployments in the current Region | List | |||
| ListFleets | Grants permission to retrieve a list of fleet IDs for all fleets in the current Region | List | |||
| ListGameServerGroups | Grants permission to retrieve all game server groups that are defined in the current Region | List | |||
| ListGameServers | Grants permission to retrieve all game servers that are currently running in a game server group | List | |||
| ListLocations | Grants permission to retrieve all locations in this account | List | |||
| ListScripts | Grants permission to retrieve properties for all Realtime Servers scripts in the current region | List | |||
| ListTagsForResource | Grants permission to retrieve tags for GameLift resources | Read | |||
| PutScalingPolicy | Grants permission to create or update a fleet auto-scaling policy | Write | |||
| RegisterCompute | Grants permission to register a compute against a fleet | Write | |||
| RegisterGameServer | Grants permission to notify GameLift FleetIQ when a new game server is ready to host gameplay | Write | |||
| RequestUploadCredentials | Grants permission to retrieve fresh upload credentials to use when uploading a new game build | Read | |||
| ResolveAlias | Grants permission to retrieve the fleet ID associated with an alias | Read | |||
| ResumeGameServerGroup | Grants permission to reinstate suspended FleetIQ activity for a game server group | Write | |||
| SearchGameSessions | Grants permission to retrieve game sessions that match a set of search criteria | Read | |||
| StartFleetActions | Grants permission to resume auto-scaling activity on a fleet after it was suspended with StopFleetActions() | Write | |||
| StartGameSessionPlacement | Grants permission to send a game session placement request to a game session queue | Write | |||
| StartMatchBackfill | Grants permission to request FlexMatch matchmaking to fill available player slots in an existing game session | Write | |||
| StartMatchmaking | Grants permission to request FlexMatch matchmaking for one or a group of players and initiate game session placement | Write | |||
| StopFleetActions | Grants permission to suspend auto-scaling activity on a fleet | Write | |||
| StopGameSessionPlacement | Grants permission to cancel a game session placement request that is in progress | Write | |||
| StopMatchmaking | Grants permission to cancel a matchmaking or match backfill request that is in progress | Write | |||
| SuspendGameServerGroup | Grants permission to temporarily stop FleetIQ activity for a game server group | Write | |||
| TagResource | Grants permission to tag GameLift resources | Tagging | |||
| UntagResource | Grants permission to untag GameLift resources | Tagging | |||
| UpdateAlias | Grants permission to update the properties of an existing alias | Write | |||
| UpdateBuild | Grants permission to update an existing build's metadata | Write | |||
| UpdateContainerFleet | Grants permission to update an existing container fleet | Write | |||
| UpdateContainerGroupDefinition | Grants permission to update the properties of an existing container group definition | Write |
ecr:BatchGetImage ecr:DescribeImages ecr:GetAuthorizationToken ecr:GetDownloadUrlForLayer |
||
| UpdateFleetAttributes | Grants permission to update the general properties of an existing fleet | Write | |||
| UpdateFleetCapacity | Grants permission to adjust a managed fleet's capacity settings | Write | |||
| UpdateFleetPortSettings | Grants permission to adjust a fleet's port settings | Write | |||
| UpdateGameServer | Grants permission to change game server properties, health status, or utilization status | Write | |||
| UpdateGameServerGroup | Grants permission to update properties for game server group, including allowed instance types | Write |
iam:PassRole |
||
| UpdateGameSession | Grants permission to update the properties of an existing game session | Write | |||
| UpdateGameSessionQueue | Grants permission to update properties of an existing game session queue | Write | |||
| UpdateMatchmakingConfiguration | Grants permission to update properties of an existing FlexMatch matchmaking configuration | Write | |||
| UpdateRuntimeConfiguration | Grants permission to update how server processes are configured on instances in an existing fleet | Write | |||
| UpdateScript | Grants permission to update the metadata and content of an existing Realtime Servers script | Write |
iam:PassRole s3:GetObject |
||
| ValidateMatchmakingRuleSet | Grants permission to validate the syntax of a FlexMatch matchmaking rule set | Read |
Resource types defined by Amazon GameLift
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| alias |
arn:${Partition}:gamelift:${Region}::alias/${AliasId}
|
|
| build |
arn:${Partition}:gamelift:${Region}:${Account}:build/${BuildId}
|
|
| containerGroupDefinition |
arn:${Partition}:gamelift:${Region}:${Account}:containergroupdefinition/${Name}
|
|
| containerFleet |
arn:${Partition}:gamelift:${Region}:${Account}:containerfleet/${FleetId}
|
|
| fleet |
arn:${Partition}:gamelift:${Region}:${Account}:fleet/${FleetId}
|
|
| gameServerGroup |
arn:${Partition}:gamelift:${Region}:${Account}:gameservergroup/${GameServerGroupName}
|
|
| gameSessionQueue |
arn:${Partition}:gamelift:${Region}:${Account}:gamesessionqueue/${GameSessionQueueName}
|
|
| location |
arn:${Partition}:gamelift:${Region}:${Account}:location/${LocationId}
|
|
| matchmakingConfiguration |
arn:${Partition}:gamelift:${Region}:${Account}:matchmakingconfiguration/${MatchmakingConfigurationName}
|
|
| matchmakingRuleSet |
arn:${Partition}:gamelift:${Region}:${Account}:matchmakingruleset/${MatchmakingRuleSetName}
|
|
| script |
arn:${Partition}:gamelift:${Region}:${Account}:script/${ScriptId}
|
Condition keys for Amazon GameLift
Amazon GameLift defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by the tags that are passed in the request | String |
| aws:ResourceTag/${TagKey} | Filters access by the tags associated with the resource | String |
| aws:TagKeys | Filters access by the tag keys that are passed in the request | ArrayOfString |
