Create S3 action

You must first configure AWS to have an Amazon S3 bucket and an IAM role. If you've already done it, proceed to the Admin Portal configuration section.

Use Terraform
resource "random_string" "random" {
length = 8
upper = false
special = false
resource "aws_s3_bucket" "pubnub_s3" {
bucket = "pubnub-s3-example-${random_string.random.result}"
tags = {
PubNub = "Example"
data "aws_iam_policy_document" "pubnub_s3_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
show all 54 lines

Create a bucket

  1. Log into your Amazon S3 account and click Buckets.

  2. Choose Create bucket, give it a meaningful name and choose region for your bucket.

  3. Configure the desired settings for your bucket.

  4. Once you are done setting up all desired settings, click Create bucket.

  5. Copy the name and the region of your bucket to use it later in the Admin Portal.

Create an IAM role

Create an IAM role with write permissions to S3.

  1. Log into your AWS Identity and Access Management account and head to Roles under the Access Management section in the left navigation.

  2. Click the top-right Create role button and give the role a meaningful name.

  3. In Step 1 of the role configuration screen, select AWS account as Trusted entity type.

  4. In the An AWS account section, select Another AWS account and put 535363102202 (PubNub account number) as the Account ID. This way, the role's trust relationship allows our service to assume your role to write to the data stream.

  5. Under Options, select Require external ID and paste your app's subscribe key from the Admin Portal in the External ID field.

    This step is optional but recommended by the AWS best practices. This way, you assign the app's subscribe key as an external ID that would assume the newly created role in all PubNub calls. See the related Access policy details:

    "Version": "2012-10-17",
    "Statement": [
    "Effect": "Allow",
    "Principal": {
    "AWS": "arn:aws:iam::535363102202:root"
    "Action": "sts:AssumeRole",
    "Condition": {
    "StringEquals": {
    "sts:ExternalId": "<PubNub subscribe key>"
    show all 17 lines

    Click Next to move to the second configuration step.

  6. In Step 2 of the role configuration screen, create a new permissions policy that gives write access to S3 (look for the s3:PutObject policy permission). To do that, click the Create policy button and switch to the JSON tab. Paste the following snippet changing the Resources to your S3 bucket ARN.

    "Statement": [
    "Action": [
    "Effect": "Allow",
    "Resource": "<ARN of customer's S3 bucket>"
    "Version": "2012-10-17"

    Finish the policy configuration by following the wizard steps.

  7. When you've created the policy, select it from the list and click Next to move to the third configuration step.

  8. In Step 3 of the role configuration screen, name the role and click Create Role to confirm the changes.

  9. Search for the role and copy its ARN (ARN field) to use it later in the Admin Portal.

Configure Admin Portal

  1. In the Events & Actions view on the Admin Portal, create an action by clicking on the + ACTION button.

  2. Paste both Bucket Name and ARN (role) values under the Bucket Name and Role ARN fields.

  3. Choose Region of your target bucket from the drop-down list.

  4. Optionally, enable Batching and set the count of items to be batched (Item count bound) and period of time at which batching is to occur (Time bound(in seconds)).

  5. Optionally, add Object Key Prefix.

    You can leverage object key name prefixes to deduce the logical hierarchy of sub-buckets or sub-folders within the bucket. This allows you to distinctly identify each object stored in the bucket.

  6. Pair your action with the previously created event listener without leaving the Actions view. To do this, click the + EVENT LISTENERS button and select Choose an existing event listener.

  7. Save your newly created action by clicking the SAVE CHANGES button.

Last updated on