Create S3 action

Logs from Functions

You can use the S3 action to export logs from your Functions. Read the docs for more information.

You must first configure AWS to have an Amazon S3 bucket and an IAM role. If you've already done it, proceed to the Admin Portal configuration section.

Use Terraform
resource "random_string" "random" {
length = 8
upper = false
special = false
resource "aws_s3_bucket" "pubnub_s3" {
bucket = "pubnub-s3-example-${random_string.random.result}"
tags = {
PubNub = "Example"
data "aws_iam_policy_document" "pubnub_s3_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
show all 54 lines

Create a bucket

  1. Log into your Amazon S3 account and click Buckets.

  2. Choose Create bucket, give it a meaningful name and choose region for your bucket.

  3. Configure the desired settings for your bucket.

  4. Once you are done setting up all desired settings, click Create bucket.

  5. Copy the name and the region of your bucket to use it later in the Admin Portal.

Create an IAM role

Create an IAM role with write permissions to S3.

  1. Log into your AWS Identity and Access Management account and head to Roles under the Access Management section in the left navigation.

  2. Click the top-right Create role button and give the role a meaningful name.

  3. In Step 1 of the role configuration screen, select AWS account as Trusted entity type.

  4. In the An AWS account section, select Another AWS account and put 535363102202 (PubNub account number) as the Account ID. This way, the role's trust relationship allows our service to assume your role to write to the data stream.

  5. Under Options, select Require external ID and paste your app's subscribe key from the Admin Portal in the External ID field.

This step is optional but recommended by the AWS best practices. This way, you assign the app's subscribe key as an external ID that would assume the newly created role in all PubNub calls. See the related Access policy details:

"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::535363102202:root"
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<PubNub subscribe key>"
show all 17 lines

Click Next to move to the second configuration step.

  1. In Step 2 of the role configuration screen, create a new permissions policy that gives write access to S3 (look for the s3:PutObject policy permission). To do that, click the Create policy button and switch to the JSON tab. Paste the following snippet changing the Resources to your S3 bucket ARN.

    "Statement": [
    "Action": [
    "Effect": "Allow",
    "Resource": "<ARN of customer's S3 bucket>"
    "Version": "2012-10-17"

    Finish the policy configuration by following the wizard steps.

  2. When you've created the policy, select it from the list and click Next to move to the third configuration step.

  3. In Step 3 of the role configuration screen, name the role and click Create Role to confirm the changes.

  4. Search for the role and copy its ARN (ARN field) to use it later in the Admin Portal.

Configure Admin Portal

  1. In the Events & Actions view on the Admin Portal, create an action by clicking on the + Add Action button.

  2. Click Amazon S3 to select it as the action type.

  3. Paste both Bucket Name and ARN (role) values under the Bucket Name and Role ARN fields.

  4. Choose Region of your target bucket from the drop-down list.

  5. Optionally, enable and configure Batching.

  6. Optionally, enable and configure retries through AWS S3 retry.

  7. Optionally, add Object key prefix.

    You can leverage object key name prefixes to deduce the logical hierarchy of sub-buckets or sub-folders within the bucket. This allows you to distinctly identify each object stored in the bucket.

  8. Pair your action with an event listener without leaving the Actions view. To do this, click the Add event listener button and select an existing event listener or create a new one.

  9. Save your newly created action by clicking the Save changes button.

Last updated on