Create Kinesis action

You must first configure AWS to have an Amazon data stream and an IAM role. If you've already done it, proceed to the Admin Portal configuration section.

Use Terraform
resource "aws_kinesis_stream" "pubnub_kinesis" {
name = "pubnub-example"
shard_count = 1

stream_mode_details {
stream_mode = "PROVISIONED"

data "aws_iam_policy_document" "pubnub_kinesis_role" {
statement {
actions = ["sts:AssumeRole"]

principals {
show all 59 lines

Create a data stream

  1. Log into your Amazon Kinesis account and head to the Data streams view.

  2. To create a data stream, click the top-right Create data stream button and give the stream a meaningful name.

    Supported service type

    Events & Actions only supports the Data Streams service type.

  3. Click the Create data stream bottom-right button to save the setup.

  4. Copy the data stream URL (ARN field) to use it later in the Admin Portal.

Create an IAM role

Create an IAM role with write permissions to Kinesis.

  1. Log into your AWS Identity and Access Management account and head to Roles under the Access Management section in the left navigation.

  2. Click the top-right Create role button and give the role a meaningful name.

  3. In Step 1 of the role configuration screen, mark AWS account as Trusted entity type.

  4. In the An AWS account section, select Another AWS account and put 535363102202 (PubNub account number) as the Account ID. This way, the role's trust relationship allows our service to assume your role to write to the data stream.

  5. Under Options, mark Require external ID and paste your app's subscribe key from the Admin Portal in the External ID field.

This step is optional but recommended by the AWS best practices. This way, you assign the app's subscribe key as an external ID that would assume the newly created role in all PubNub calls. See the related Access policy details:

"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::535363102202:root"
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<PubNub subscribe key>"
show all 17 lines

Click Next to move to the second configuration step.

  1. In Step 2 of the role configuration screen, create a new permissions policy that gives write access to Kinesis (look for the kinesis:PutRecord policy permission). To do that, click the Create policy button and switch to the JSON tab. Paste the following snippet changing the Resource to your Kinesis data stream ARN.
"Statement": [
"Action": [
"Effect": "Allow",
"Resource": "<ARN of customer's Kinesis data stream>"
"Version": "2012-10-17"

Finish the policy configuration by following the wizard steps.

  1. When you've created the policy, select it from the list and click Next to move to the third configuration step.

  2. In Step 3 of the role configuration screen, name the role and click Create Role to confirm the changes.

  3. Search for the role and copy its ARN (ARN field) to use it later in the Admin Portal.

Configure Admin Portal

  1. In the Events & Actions view on the Admin Portal, create an action by clicking the + Add Action button.

  2. Click Amazon Kinesis to select it as the action type.

  3. Paste both Amazon ARN values (for data stream and role) under the Data Stream ARN and Role ARN fields.

  4. Optionally, enable and configure retries through the Kinesis retry option.

  5. Pair your action with an event listener without leaving the Actions view. To do this, click the Add event listener button and select an existing event listener or create a new one.

  6. Save your newly created action by clicking the Save changes button.

Last updated on