---
source_url: https://www.pubnub.com/docs/serverless/events-and-actions/actions/create-s3-action
title: Create S3 action
updated_at: 2026-06-04T11:13:36.420Z
---

> Documentation Index
> For a curated overview of PubNub documentation, see: https://www.pubnub.com/docs/llms.txt
> For the full list of all documentation pages, see: https://www.pubnub.com/docs/llms-full.txt


# Create S3 action

:::tip Logs from Functions
You can use the S3 action to export logs from your Functions. Read the [docs](https://www.pubnub.com/docs/serverless/functions/functions-in-admin-portal#export-logs-through-events--actions) for more information.
:::

First, set up an [Amazon S3 bucket](#create-a-bucket) and an [IAM role](#create-an-iam-role). If you already have both, go to [Admin Portal configuration](#configure-admin-portal).

Use
Terraform

```hcl
resource "random_string" "random" {
  length = 8
  upper = false
  special = false
}
resource "aws_s3_bucket" "pubnub_s3" {
  bucket = "pubnub-s3-example-${random_string.random.result}"
  tags = {
    PubNub        = "Example"
  }
}
data "aws_iam_policy_document" "pubnub_s3_role" {
  statement {
    actions = ["sts:AssumeRole"]
    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::535363102202:root"]
    }
    condition {
      test     = "StringLike"
      variable = "sts:ExternalId"
      values = [
        "<PubNub subscribe key>"
      ]
    }
  }
}
resource "aws_iam_role" "pubnub_s3_example" {
  name               = "pubnub-s3-example"
  path               = "/"
  assume_role_policy = data.aws_iam_policy_document.pubnub_s3_role.json
}
resource "aws_iam_policy" "pubnub_s3_example" {
  name        = "pubnub-s3-example"
  path        = "/"
  description = "Pubnub Example S3 policy"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "s3:PutObject",
        ]
        Effect   = "Allow"
        Resource = aws_s3_bucket.pubnub_s3.arn
      },
    ]
  })
}
resource "aws_iam_role_policy_attachment" "pubnub-s3-attach" {
  role       = aws_iam_role.pubnub_s3_example.name
  policy_arn = aws_iam_policy.pubnub_s3_example.arn
}
```

show all
54
lines

## Create a bucket

1. Open [Amazon S3](https://console.aws.amazon.com/s3/) and go to **Buckets**.
2. Click **Create bucket**. Enter a name. Choose a region.
3. Configure any settings you need.
4. Click **Create bucket**.
5. Copy the bucket name and region for later.

## Create an IAM role

Create an IAM role with write permission to S3.

1. Open AWS Identity and Access Management and go to Roles.
2. Click Create role and name the role.
3. Select AWS account as the Trusted entity type.
4. In An AWS account, choose Another AWS account. Enter 535363102202 as the Account ID. This is PubNub’s AWS account ID. It lets PubNub assume the role to write to your bucket.
5. Under Options, select Require external ID.
6. Paste your app’s subscribe key from the Admin Portal into External ID. Optional, recommended by AWS. It uses your subscribe key as the external ID for PubNub. Access policy example: 1{2 "Version": "2012-10-17",3 "Statement": [4 {5 "Effect": "Allow",6 "Principal": {7 "AWS": "arn:aws:iam::535363102202:root"8 },9 "Action": "sts:AssumeRole",10 "Condition": {11 "StringEquals": {12 "sts:ExternalId": "<PubNub subscribe key>"13 }14 }15 }16 ]17} Click Next.
7. Create a permissions policy with s3:PutObject. Click Create policy. Switch to JSON. Paste the snippet below. Replace Resource with your bucket ARN. 1{2 "Statement": [3 {4 "Action": [5 "s3:PutObject"6 ],7 "Effect": "Allow",8 "Resource": "<ARN of customer's S3 bucket>"9 // Follow these guidelines for the correct Amazon Resource Name (ARN) pattern:10 // https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html11 }12 ],13 "Version": "2012-10-17"14} Finish the policy in the wizard.
8. Select the policy and click Next.
9. Name the role and click Create Role.
10. Copy the role ARN for later.

## Configure Admin Portal

1. In **Events & Actions** on the [Admin Portal](https://admin.pubnub.com/), click **+ Add Action**.
2. Click **Amazon S3** to select the action type.
3. Paste the **Bucket Name** and **Role ARN** values.
4. Choose the **Region** of your target bucket.
5. (Optional) Enable and configure **Batching**.
6. (Optional) Enable and configure [retries](https://www.pubnub.com/docs/serverless/events-and-actions/events#retries) in **AWS S3 retry**.
7. (Optional) Add an **Object key prefix**. You can use prefixes to organize objects like folders.
8. Pair the action with an event listener in **Actions**. Click **Add event listener** and select an existing listener or [create one](https://www.pubnub.com/docs/serverless/events-and-actions/configure-e&a#create-event-listener).
9. Click **Save changes**.

## Terms in this document

* **PubNub** - PubNub is a real-time messaging platform that provides APIs and SDKs for building scalable applications. It handles the complex infrastructure of real-time communication, including: Message delivery and persistence, Presence detection, Access control, Push notifications, File sharing, Serverless processing with Functions and Events & Actions, Analytics and monitoring with BizOps Workspace, AI-powered insights with Illuminate.
* **Subscribe Key** - A unique identifier that allows your application to receive messages from PubNub channels. It's part of your app's credentials and should be kept secure.