Skip to main content

Bucket permissions

Amazon S3

GameAnalytics export requires permissions to perform s3:PutObject and s3:PutObjectAcl actions to the bucket where the data is supposed to be stored. The export is performed under arn:aws:iam::118928031713:role/live-export-job-batch-copy-role role, which one could grant the required permissions using the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::118928031713:role/live-export-job-batch-copy-role"
      },
      "Action": ["s3:PutObject", "s3:PutObjectAcl"],
      "Resource": "arn:aws:s3:::<YOUR_BUCKET_NAME>/*"
    }
  ]
}

Where YOUR_BUCKET_NAME should be replaced with a name of the bucket to which the policy is attached.

Please ensure that the bucket has "Object Ownership" set to Bucket owner preferred:

Bucket ownership preferences

Encryption

It is highly recommended to setup the destination bucket with a service side encryption enabled. The provided templates ensure that the destination bucket uses AWS:KMS encryption by default:

If AWS:KMS default encryption is enabled, please make sure to grant GameAnalytics data role enough permissions to be able to use the key to write to the destination bucket via a KMS key policy:

{
  "Version": "2012-10-17",
  "Id": "allow-ga-write",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<YOUR AWS ACCOUNT ID>:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow GameAnalytics to write the data",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::118928031713:role/live-export-job-batch-copy-role"
      },
      "Action": "kms:GenerateDataKey",
      "Resource": "*"
    }
  ]
}

Using AWS CLI tool

Prerequisites:

  • The cfn templates cfn (unzipped)
  • AWS CLI (installing the AWS CLI)
  • JQ
  • AWS Account
  • Bucket where the CloudFormation templates will be uploaded

1. Upload the CloudFormation templates to S3 bucket

aws s3 sync ./cfn s3://<CFN_BUCKET_NAME>/gameanalytics/export/cfn/

2. Create the stack using aws cli

aws cloudformation create-stack --stack-name gameanalytics-data-export \
    --template-url https://<CFN_BUCKET_NAME>.s3.amazonaws.com/gameanalytics/export/cfn/s3.yaml \
    --parameters \
        ParameterKey=S3PolicyStackTemplateURL,ParameterValue=https://<CFN_BUCKET_NAME>.s3.amazonaws.com/gameanalytics/export/cfn/s3-policy.yaml

3. Wait until the stack is created

aws cloudformation describe-stacks --stack-name gameanalytics-data-export \
    | jq -r '.Stacks[].StackStatus'

4. Get the bucket ARN to provide the GameAnalytics export service

aws cloudformation describe-stacks --stack-name gameanalytics-data-export \
    | jq -r '.Stacks[].Outputs[].OutputValue'

If the stack is created successfully you should be able to see ARN of the created bucket, which would be similar to arn:aws:s3:::gameanalytics-data-export-s3bucket-81mhh0wqeskx.