One step further to a full build and release process from Git to Steam. This time, let’s create a securized AWS environment and create the virtual machine.
As the environment we are setting up is on the cloud, and reachable from Internet, we must pay attention to security. In this chapter, we’ll implement a least privilege security strategy thanks to IAM.
IAM Role creation
We must now create the proper role and permission necessary for the whole thing to work in a secure manner. We will first create all the policies we need for each AWS service then assign them to a group then add the user to this group. We will build this security layout:
The user will be used by the script that will run on the EC2 instance.
The role will be used by the Lambda script.
Create the IAM policies
Go to the IAM console:
1. UCB-AmazonS3ReadUCB-Policy
Click on Policies into the right menu. Then click on Create Policy:
Click on the JSON tab. We will create the policies using a copy/paste method. The information you collected previously will be useful.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObjectAcl",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::empire.org/UCB/*"
}
]
}
Replace empire.org with the name of the bucket you created previously
Click on Next twice and then write the name of the Policy:
UCB-AmazonS3ReadUCB-Policy
Then click on Create.
Repeat this operation for the next 5 other policies:
2. UCB-AmazonS3WriteUCBBuild-Policy
Name of the policy:
UCB-AmazonS3WriteUCBBuild-Policy
JSON content:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectRetention",
"s3:DeleteObjectVersion",
"s3:PutObjectLegalHold",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::empire.org/UCB/unity-builds/*",
"arn:aws:s3:::empire.org/UCB/steam-parameters/*"
]
}
]
}
Replace empire.org with the name of the bucket you created previously
3. UCB-AmazonSESBasic-Policy
Name of the policy:
UCB-AmazonSESBasic-Policy
JSON content:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "*"
}
]
}
4. UCB-AmazonEC2StartStopInstance-Policy
Name of the policy:
UCB-AmazonEC2StartStopInstance-Policy
JSON content:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:*:<AWSORGANIZATIONID>:instance/<EC2INSTANCENAME>"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstanceEventNotificationAttributes",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:DescribeInstanceStatus"
],
"Resource": "*"
}
]
}
Replace <EC2INSTANCENAME> with the EC2 instance ID you noted previously.
– For this example: i-0498da462121cc54b
Replace <AWSORGANIZATIONID> with the AWS organization ID you noted previously.
– For this example: 113819842001
5. UCB-AmazonLambdaBasic-Policy
Name of the policy:
UCB-AmazonLambdaBasic-Policy
JSON content:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:eu-west-3:<AWSORGANIZATIONID>:log-group:/aws/lambda/UCB-DeployOnSteam-Function:*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:eu-west-3:<AWSORGANIZATIONID>:*"
}
]
}
Replace <AWSORGANIZATIONID> with the AWS organization ID you noted previously.
– For this example: 113819842001
Create the IAM groups
Click on Groups into the right menu. Then click on Create New Group:
Enter the name of the group:
UCB-Linux-Group
Then click Next. Select the Policies to attach to this group by filtering on the custom ones we created above:
Then select the following ones:
- UCB-AmazonS3ReadUCB-Policy
- UCB-AmazonS3WriteUCBBuild-Policy
- UCB-AmazonSESBasic-Policy
Click on Next then Create.
Create the IAM roles
Click on Roles into the right menu. Then click on Create role:
Select AWS service and Lambda. We will need this role for the Lambda function:
Click on Next. Click on Filter Policies and Customer Managed:
Select the following policies:
- UCB-AmazonSESBasic-Policy
- UCB-AmazonEC2StartStopInstance-Policy
- UCB-AmazonLambdaBasic-Policy
Click on Next twice. Enter the name of the role:
UCB-AmazonLambdaDeployOnSteam-Role
Create the IAM user accounts
Click on Users on the left and create a new user using the Add user button:
Give a name to your user. In this example, let’s use DarthVader and select Programmatic access because we want this user to connect to the service programmatically only and we don’t want to someone to use this account to connect to the console (for security purpose):
Click on Next to Define the permissions. Select Add user to group:
Select the group previously created in the list:
UCB-Linux-Group
Click on Next twice then click on Create.
You will see the result screen:
Note here:
– the Access Key ID. For this example: AKIASSSRVAYGXQIIOZ6T
– the Secret access key. For this example: YmKphQIUoXkyvZorr1Oak5Yd30IIhk1n7nwf4WgI
Don’t forget to note down this Secret key. THIS IS THE ONLY CHANCE TO SEE IT !! There is no other possibility afterward to get it back.
Ubuntu configuration
We will now setup Ubuntu to be able to download the builds from UCB and upload them to Steam.
Connect to your instance
Go the the EC2 panel management. Click on your instance on the list.
Note the DNS name of your instance:
Open putty then fill the field with the gathered information:
Use ubuntu as the user
Select the .pem file (private key) you saved to your hard drive in the Instance creation step
Enter the DNS name of the server and save the parameters
Click on Open.
You are now logged:
Prerequisite installation
Now we will install the prerequisite for this server to download the file from UCB then execute the Steamwork package creation then upload it to Steam.
Download the python from git:
git clone https://github.com/polycornegames/UCB-steam.git /home/ubuntu/UCB-steam
Rename the example parameter file then edit it:
cp /home/ubuntu/UCB-steam/UCB-steam.config.example /home/ubuntu/UCB-steam/UCB-steam.config
nano /home/ubuntu/UCB-steam/UCB-steam.config
Edit these lines with the data you collected during the previous steps:
homepath: /home/ubuntu
basepath: /home/ubuntu/UCB-steam
logpath: /home/ubuntu/UCB-steam/logs
steam:
appid: 1000
appid_windows: 1001
appid_linux: 1002
appid_macos: 1003
user: darthvaderPGM
password: sidiousalways2nd
email:
from: steambuild@empire.org
recipients:
- darthvader@empire.org
- generaltarkin@empire.org
unity:
org_id: 4815162342
project_id: 3283627-c3po-r2d2-bb8-tk421
api_key: a6a5fa03a9b8711code66cd467836a4
aws:
region: eu-west-1
accesskey: OSDFUZEOIUZAPOIRIOUIUEZR
secretkey: YmKphQIUoXkyvZorr1Oak5Yd30IIhk1n7nwf4WgI
s3bucket: empire.org
Save the file and run the following command:
cd /home/ubuntu/UCB-steam
python3 /home/ubuntu/UCB-steam/UCB-steam.py --install
If you set up everything correctly, the only question the script will ask you is the Steam guard code you will receive by email. This step is done only once during the script installation. The system will remember that you manage to connect and then will not ask you again this security question.
You should have this result at the end:
A couple of minutes later, you will receive this email with the steps of the installation process:
So let me quote the script : Everything is set up correctly. Congratulations !