Unity to Steam – Part 5 – AWS IAM and Ubuntu

Table Of Contents

One step further to a full build and release process from Git to Steam. This time, let’s create a securized AWS environment and create the virtual machine.

As the environment we are setting up is on the cloud, and reachable from Internet, we must pay attention to security. In this chapter, we’ll implement a least privilege security strategy thanks to IAM.

IAM Role creation

We must now create the proper role and permission necessary for the whole thing to work in a secure manner. We will first create all the policies we need for each AWS service then assign them to a group then add the user to this group. We will build this security layout:

The user will be used by the script that will run on the EC2 instance.

The role will be used by the Lambda script.

Create the IAM policies

Go to the IAM console:

1. UCB-AmazonS3ReadUCB-Policy

Click on Policies into the right menu. Then click on Create Policy:

Click on the JSON tab. We will create the policies using a copy/paste method. The information you collected previously will be useful.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObjectAcl",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::empire.org/UCB/*"
        }
    ]
}

Replace empire.org with the name of the bucket you created previously

Click on Next twice and then write the name of the Policy:

UCB-AmazonS3ReadUCB-Policy

Then click on Create.

Repeat this operation for the next 5 other policies:

2. UCB-AmazonS3WriteUCBBuild-Policy

Name of the policy:

UCB-AmazonS3WriteUCBBuild-Policy

JSON content:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectRetention",
                "s3:DeleteObjectVersion",
                "s3:PutObjectLegalHold",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::empire.org/UCB/unity-builds/*",
                "arn:aws:s3:::empire.org/UCB/steam-parameters/*"
            ]
        }
    ]
}

Replace empire.org with the name of the bucket you created previously

3. UCB-AmazonSESBasic-Policy

Name of the policy:

UCB-AmazonSESBasic-Policy

JSON content:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ses:SendEmail",
                "ses:SendRawEmail"
            ],
            "Resource": "*"
        }
    ]
}
4. UCB-AmazonEC2StartStopInstance-Policy

Name of the policy:

UCB-AmazonEC2StartStopInstance-Policy

JSON content:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": "arn:aws:ec2:*:<AWSORGANIZATIONID>:instance/<EC2INSTANCENAME>"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceTypeOfferings",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInstanceEventNotificationAttributes",
                "ec2:DescribeInstanceCreditSpecifications",
                "ec2:DescribeInstanceStatus"
            ],
            "Resource": "*"
        }
    ]
}

Replace <EC2INSTANCENAME> with the EC2 instance ID you noted previously.
– For this example: i-0498da462121cc54b
Replace <AWSORGANIZATIONID> with the AWS organization ID you noted previously.
– For this example: 113819842001

5. UCB-AmazonLambdaBasic-Policy

Name of the policy:

UCB-AmazonLambdaBasic-Policy

JSON content:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:eu-west-3:<AWSORGANIZATIONID>:log-group:/aws/lambda/UCB-DeployOnSteam-Function:*"
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": "logs:CreateLogGroup",
            "Resource": "arn:aws:logs:eu-west-3:<AWSORGANIZATIONID>:*"
        }
    ]
}

Replace <AWSORGANIZATIONID> with the AWS organization ID you noted previously.
– For this example: 113819842001

Create the IAM groups

Click on Groups into the right menu. Then click on Create New Group:

Enter the name of the group:

UCB-Linux-Group

Then click Next. Select the Policies to attach to this group by filtering on the custom ones we created above:

Then select the following ones:

  • UCB-AmazonS3ReadUCB-Policy
  • UCB-AmazonS3WriteUCBBuild-Policy
  • UCB-AmazonSESBasic-Policy

Click on Next then Create.

Create the IAM roles

Click on Roles into the right menu. Then click on Create role:

Select AWS service and Lambda. We will need this role for the Lambda function:

Click on Next. Click on Filter Policies and Customer Managed:

Select the following policies:

  • UCB-AmazonSESBasic-Policy
  • UCB-AmazonEC2StartStopInstance-Policy
  • UCB-AmazonLambdaBasic-Policy

Click on Next twice. Enter the name of the role:

UCB-AmazonLambdaDeployOnSteam-Role
Create the IAM user accounts

Click on Users on the left and create a new user using the Add user button:

Give a name to your user. In this example, let’s use DarthVader and select Programmatic access because we want this user to connect to the service programmatically only and we don’t want to someone to use this account to connect to the console (for security purpose):

Click on Next to Define the permissions. Select Add user to group:

Select the group previously created in the list:

UCB-Linux-Group

Click on Next twice then click on Create.

You will see the result screen:

Note here:
– the Access Key ID. For this example: AKIASSSRVAYGXQIIOZ6T
– the Secret access key. For this example: YmKphQIUoXkyvZorr1Oak5Yd30IIhk1n7nwf4WgI

Don’t forget to note down this Secret key. THIS IS THE ONLY CHANCE TO SEE IT !! There is no other possibility afterward to get it back.

Ubuntu configuration

We will now setup Ubuntu to be able to download the builds from UCB and upload them to Steam.

Connect to your instance

Go the the EC2 panel management. Click on your instance on the list.

Note the DNS name of your instance:

Open putty then fill the field with the gathered information:

Use ubuntu as the user

Select the .pem file (private key) you saved to your hard drive in the Instance creation step

Enter the DNS name of the server and save the parameters

Click on Open.

You are now logged:

Prerequisite installation

Now we will install the prerequisite for this server to download the file from UCB then execute the Steamwork package creation then upload it to Steam.

Download the python from git:

git clone https://github.com/polycornegames/UCB-steam.git /home/ubuntu/UCB-steam

Rename the example parameter file then edit it:

cp /home/ubuntu/UCB-steam/UCB-steam.config.example /home/ubuntu/UCB-steam/UCB-steam.config
nano /home/ubuntu/UCB-steam/UCB-steam.config

Edit these lines with the data you collected during the previous steps:

homepath: /home/ubuntu
basepath: /home/ubuntu/UCB-steam
logpath: /home/ubuntu/UCB-steam/logs
steam:
     appid: 1000
     appid_windows: 1001
     appid_linux: 1002
     appid_macos: 1003
     user: darthvaderPGM
     password: sidiousalways2nd
email:
     from: steambuild@empire.org
     recipients:
          - darthvader@empire.org
          - generaltarkin@empire.org
unity:
     org_id: 4815162342
     project_id: 3283627-c3po-r2d2-bb8-tk421
     api_key: a6a5fa03a9b8711code66cd467836a4
aws:
     region: eu-west-1
     accesskey: OSDFUZEOIUZAPOIRIOUIUEZR
     secretkey: YmKphQIUoXkyvZorr1Oak5Yd30IIhk1n7nwf4WgI
     s3bucket: empire.org

Save the file and run the following command:

cd /home/ubuntu/UCB-steam 
python3 /home/ubuntu/UCB-steam/UCB-steam.py --install

If you set up everything correctly, the only question the script will ask you is the Steam guard code you will receive by email. This step is done only once during the script installation. The system will remember that you manage to connect and then will not ask you again this security question.

You should have this result at the end:

A couple of minutes later, you will receive this email with the steps of the installation process:

So let me quote the script : Everything is set up correctly. Congratulations !