Access control
Control access to Unity Gaming Services by creating rules to restrict service APIs.
Read time 3 minutesLast updated 18 hours ago
You can control access Unity Gaming Services (UGS) including Cloud Code via the Access Control service. Using Access Control enables you to create rules to restrict access to service APIs that should not be made available to players.
Note
If you allow player access to modules, you reduce the security of your game. For more information, refer to Server authority.
Control player access to Cloud Code modules example
The example below demonstrates how you can create a project-based policy that denies access to the Cloud Code service APIs. You can wire a Cloud Code C# module to a trigger while denying direct requests from players, increasing the security of your game. You are able to create access policies with the UGS CLI tool.Prerequisites
First, you need to create a service account with required access roles and configure the UGS CLI.Authenticate using a Service Account
Before you can call the Scheduling and Triggers services, you need to use a service account to authenticate.- Navigate to the Unity Dashboard.
- Select Administration > Service Accounts.
- Select the New button and enter a name and description for the Service Account.
- Select Create.
- Select Manage product roles.
- Add the following roles to the Service Account:
- From the LiveOps dropdown, select Triggers Configuration Editor, Triggers Configuration Viewer, Scheduler Configuration Editor and Scheduler Configuration Viewer .
- From the Admin dropdown, select Unity Environments Viewer, Project Resource Policy Editor and Project Resource Policy Reader.
- Select Save.
- Select Add Key.
- Encode the Key ID and Secret key using base64 encoding. The format is “key_id:secret_key”. Note this value down.
Configure the UGS CLI
Follow the steps below to get stated with the UGS CLI:- Install the UGS CLI.
-
Use the following to configure your Project ID and Environment:
ugs config set project-id <your-project-id>
ugs config set environment-name <your-environment-name> - Authenticate using the service account you created earlier. For more information, refer to Get Authenticated.
Create a module endpoint
Create a Cloud Code module that broadcasts a message to all connected players in the project. Refer to send push messages for more information.Deploy the module. Refer to Deploying Hello World to learn how to deploy a module.using Microsoft.Extensions.DependencyInjection;using Unity.Services.CloudCode.Core;using Unity.Services.CloudCode.Apis;namespace HelloWorld{ public class HelloWorld { [CloudCodeFunction("SendProjectMessage")] public async Task SendProjectMessage(IExecutionContext context, PushClient pushClient, string message, string messageType) { await pushClient.SendProjectMessageAsync(context, message, messageType); } } public class ModuleConfig : ICloudCodeSetup { public void Setup(ICloudCodeConfig config) { config.Dependencies.AddSingleton(PushClient.Create()); } }}
Create an Access Control project policy to restrict access
Create aproject-policy.jsonUse the UGS CLI tool to apply this policy to your project:{ "statements": [ { "Sid": "DenyPlayerAccessForSendingMessageToProject", "Resource": "urn:ugs:cloud-code:/v1/projects/*/modules/HelloWorld/SendProjectMessage", "Principal": "Player", "Action": ["*"], "Effect": "Deny" } ]}
ugs access upsert-project-policy project-policy.jsonSendProjectMessageIf the policy is successfully applied, this request should return a response with acurl 'https://cloud-code.services.api.unity.com/v1/projects/<PROJECT_ID>/players/<PLAYER_ID>/modules/HelloWorld/SendProjectMessage' \--header 'Content-Type: application/json' \--header 'Authorization: Bearer <BEARER_TOKEN>' \--data '{"params": {"message": "hello"}}'
403Test that the Cloud Code module is able to execute when authenticated with a service account with the same request. To continue, you need to obtain a stateless token and use it as a Bearer token in the request. Refer to Cloud Code Client API Bearer Authentication) for more information.{ "status": 403, "title": "Forbidden", "type": "https://services.docs.unity.com/docs/errors/#56", "requestId": "b815d154-91f5-470e-a8ef-76c3c8ec7c13", "detail": "Access has been restricted", "code": 56}
If the request is successful, Cloud Code should respond with acurl 'https://cloud-code.services.api.unity.com/v1/projects/<PROJECT_ID>/modules/HelloWorld/SendProjectMessage' \--header 'Content-Type: application/json' \--header 'Authorization: Bearer <BEARER_TOKEN>' \--data '{"params": {"message": "hello"}}'
200{ "output": null}
Set up Scheduling and Triggers
You can set up a schedule and trigger to invoke theSendProjectMessageCreate a schedule configuration
Run thenew-fileUpdate theugs scheduler new-file schedule-config
schedule-config.sched{ "$schema": "https://ugs-config-schemas.unity3d.com/v1/schedules.schema.json", "Configs": { "send-project-message": { "EventName": "announcement", "Type": "one-time", "Schedule": "2024-08-28T00:00:00Z", "PayloadVersion": 1, "Payload": "{\"message\": \"hello\"}" } }}
Note
Make sure the timestamp is in the future.
scheduleCreate a trigger configuration
Run thenew-fileTo create a trigger that invokes theugs triggers new-file triggers-config
SendProjectMessageannouncementtriggers-config.tr{ "$schema": "https://ugs-config-schemas.unity3d.com/v1/triggers.schema.json", "Configs": [ { "Name": "announcement-trigger", "EventType": "com.unity.services.scheduler.announcement.v1", "ActionUrn": "urn:ugs:cloud-code:HelloWorld/SendProjectMessage", "ActionType": "cloud-code" } ]}
Deploy the configurations
Deploy the files using the UGS CLI tool:If configured correctly, the trigger should invoke theugs deploy <path-to-config-files>
SendProjectMessageannouncement