Create S3 action

Logs from Functions

You can use the S3 action to export logs from your Functions. Read the docs for more information.

First, set up an Amazon S3 bucket and an IAM role. If you already have both, go to Admin Portal configuration.

Use Terraform
resource "random_string" "random" {
  length = 8
  upper = false
  special = false
}
resource "aws_s3_bucket" "pubnub_s3" {
  bucket = "pubnub-s3-example-${random_string.random.result}"
  tags = {
    PubNub        = "Example"
  }
}
data "aws_iam_policy_document" "pubnub_s3_role" {
  statement {
    actions = ["sts:AssumeRole"]
    principals {
show all 54 lines

Create a bucket

  1. Open Amazon S3 and go to Buckets.
  2. Click Create bucket. Enter a name. Choose a region.
  3. Configure any settings you need.
  4. Click Create bucket.
  5. Copy the bucket name and region for later.

Create an IAM role

Create an IAM role with write permission to S3.

  1. Open AWS Identity and Access Management and go to Roles.

  2. Click Create role and name the role.

  3. Select AWS account as the Trusted entity type.

  4. In An AWS account, choose Another AWS account. Enter 535363102202 as the Account ID. This is PubNub’s AWS account ID. It lets PubNub assume the role to write to your bucket.

  5. Under Options, select Require external ID.

  6. Paste your app’s subscribe key from the Admin Portal into External ID.

    Optional, recommended by AWS. It uses your subscribe key as the external ID for PubNub. Access policy example:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::535363102202:root"
                },
                "Action": "sts:AssumeRole",
                "Condition": {
                    "StringEquals": {
                        "sts:ExternalId": "<PubNub subscribe key>"
                    }
                }
            }
    show all 17 lines

    Click Next.

  7. Create a permissions policy with s3:PutObject. Click Create policy. Switch to JSON. Paste the snippet below. Replace Resource with your bucket ARN.

    {
        "Statement": [
            {
                "Action": [
                    "s3:PutObject"
                ],
                "Effect": "Allow",
                "Resource": "<ARN of customer's S3 bucket>"
                // Follow these guidelines for the correct Amazon Resource Name (ARN) pattern:
                // https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html
            }
        ],
        "Version": "2012-10-17"
    }

    Finish the policy in the wizard.

  8. Select the policy and click Next.

  9. Name the role and click Create Role.

  10. Copy the role ARN for later.

Configure Admin Portal

  1. In Events & Actions on the Admin Portal, click + Add Action.
  2. Click Amazon S3 to select the action type.
  3. Paste the Bucket Name and Role ARN values.
  4. Choose the Region of your target bucket.
  5. (Optional) Enable and configure Batching.
  6. (Optional) Enable and configure retries in AWS S3 retry.
  7. (Optional) Add an Object key prefix. You can use prefixes to organize objects like folders.
  8. Pair the action with an event listener in Actions. Click Add event listener and select an existing listener or create one.
  9. Click Save changes.
Last updated on
On this page