Access control
By default, Lobby accepts API calls from either an Authenticated Player or a Service Account. In some cases, you might want more control over how lobbies are created or joined. In those cases you can use Access Control.
Service Account controlled lobbies
In the following example, lobbies can only be created and players can only join via a Service Account. This allows you to control the lobby by restricting write access for Players.
Creating project policies via CLI
with the following JSON definition will Deny
all write access to Lobby service APIs, except the
Reconnect,
Heartbeat and
Tokens endpoints.
Note that any API that requires read access (HTTP GETs) will still be accessible.
{
"statements": [
{
"Sid": "DenyLobbyServiceWrite",
"Resource": "urn:ugs:lobby:/v1/*",
"Principal": "Player",
"Action": ["Write"],
"Effect": "Deny"
},
{
"Sid": "AllowLobbyServiceReconnect",
"Resource": "urn:ugs:lobby:/v1/*/reconnect",
"Principal": "Player",
"Action": ["*"],
"Effect": "Allow"
},
{
"Sid": "AllowLobbyServiceHeartbeat",
"Resource": "urn:ugs:lobby:/v1/*/heartbeat",
"Principal": "Player",
"Action": ["*"],
"Effect": "Allow"
},
{
"Sid": "AllowLobbyServiceTokens",
"Resource": "urn:ugs:lobby:/v1/*/tokens",
"Principal": "Player",
"Action": ["*"],
"Effect": "Allow"
}
]
}
Upsert the policies with ugs access upsert-project-policy -p <project-id> -e <env-name> <file-path>
.
At this point, any API call that violates the policy will be rejected with a 403 - Forbidden
error.