Access control with IAM

Overview

Game Servers uses Identity and Access Management (IAM) for access control.

In Game Servers, access control can be configured at the project, realm, cluster, deployment, or config level. For example, you can grant access to all clusters within a project to a group of developers.

For a detailed description of IAM and its features, see the IAM documentation. In particular, see the section on managing IAM policies.

Every Game Services API method requires the caller to have the necessary permissions. See Permissions and Roles for more information.

Permissions

This section summarizes the Game Servers permissions that IAM supports.

Required permissions

The following tables list the IAM permissions that are associated with Game Servers.

Realms method Required permissions
realms.create gameservices.realms.create on the parent Google Cloud project.
realms.delete gameservices.realms.delete on the requested realm.
realms.get gameservices.realms.get on the parent realm.
realms.list gameservices.realms.list on the parent Google Cloud project.
realms.patch gameservices.realms.update on the requested realm.
realms.previewUpdate gameservices.realms.get on the requested realm.
Clusters method Required permissions
realms.gameServerClusters.create gameservices.gameServerClusters.create on the parent realm.
realms.gameServerClusters.delete gameservices.gameServerClusters.delete on the requested cluster.
realms.gameServerClusters.list gameservices.gameServerClusters.list on the parent realm.
realms.gameServerClusters.get gameservices.gameServerClusters.get on the requested cluster.
realms.gameServerClusters.patch gameservices.gameServerClusters.update on the requested cluster.
realms.gameServerClusters.previewCreate gameservices.gameServerClusters.get on the requested cluster.
realms.gameServerClusters.previewDelete gameservices.gameServerClusters.get on the requested cluster.
realms.gameServerClusters.previewUpdate gameservices.gameServerClusters.get on the requested cluster.
Deployment method Required permissions
gameServerDeployments.create gameservices.gameServerDeployments.create on the parent Google Cloud project.
gameServerDeployments.delete gameservices.gameServerDeployments.delete on the requested deployment.
gameServerDeployments.fetchDeploymentState gameservices.gameServerDeployments.get on the requested deployment.
gameServerDeployments.get gameservices.gameServerDeployments.get on the requested deployment.
gameServerDeployments.getRollout gameservices.gameServerDeployments.get on the requested deployment.
gameServerDeployments.list gameservices.gameServerDeployments.list on the parent Google Cloud project.
gameServerDeployments.patch gameservices.gameServerDeployments.update on the requested deployment.
gameServerDeployments.previewRollout gameservices.gameServerDeployments.get on the requested deployment.
gameServerDeployments.updateRollout gameservices.gameServerDeployments.rollout on the requested deployment.
Config method Required permissions
gameServerDeployments.configs.create gameservices.gameServerConfigs.create on the parent deployment.
gameServerDeployments.configs.delete gameservices.gameServerConfigs.delete on the requested config.
gameServerDeployments.configs.get gameservices.gameServerConfigs.get on the requested config.
gameServerDeployments.configs.list gameservices.gameServerConfigs.list on the parent deployement.

Roles

The following table lists the Game Servers IAM roles, including the permissions associated with each role:

Game Servers role Permissions
roles/gameservices.viewer
  • gameservices.realms.list
  • gameservices.realms.get
  • gameservices.realms.get
  • gameservices.gameServerClusters.list
  • gameservices.gameServerClusters.get
  • gameservices.gameServerClusters.get
  • gameservices.gameServerClusters.get
  • gameservices.gameServerClusters.get
  • gameservices.gameServerDeployments.list
  • gameservices.gameServerDeployments.get
  • gameservices.gameServerDeployments.get
  • gameservices.gameServerDeployments.get
  • gameservices.gameServerDeployments.get
  • gameservices.gameServerConfigs.list
  • gameservices.gameServerConfigs.get
roles/gameservices.admin All roles/gameservices.viewer permissions, and:
  • gameservices.realms.create
  • gameservices.realms.delete
  • gameservices.realms.update
  • gameservices.gameServerClusters.create
  • gameservices.gameServerClusters.delete
  • gameservices.gameServerClusters.update
  • gameservices.gameServerDeployments.create
  • gameservices.gameServerDeployments.delete
  • gameservices.gameServerDeployments.update
  • gameservices.gameServerDeployments.rollout
  • gameservices.gameServerConfigs.create
  • gameservices.gameServerConfigs.delete

The roles roles/owner, roles/editor, and roles/viewer include permissions for other Google Cloud services as well. For more information about roles, see Understanding roles.

Custom roles

If the predefined IAM roles don't meet your needs, you can define custom roles with permissions that you specify. To support this, IAM offers custom roles. When you create custom roles for Game Servers, make sure that you include both resourcemanager.projects.get and resourcemanager.projects.list so that the role has permission to query project resources. Otherwise, the Google Cloud console won't function correctly for Game Servers.