Create SQS action

You must first configure AWS to have an Amazon SQS queue and an IAM role. If you've already done it, proceed to the Admin Portal configuration section.

Use Terraform
resource "aws_sqs_queue" "pubnub_queue" {
name = "pubnub-example"
fifo_queue = false

data "aws_iam_policy_document" "pubnub_sqs_role" {
statement {
actions = ["sts:AssumeRole"]

principals {
type = "AWS"
identifiers = ["arn:aws:iam::535363102202:root"]

show all 55 lines

Create a queue

  1. Log into your Amazon SQS account and head to the Queues view.

  2. To create a queue, click the top-right Create queue button and give the queue a meaningful name.

    Supported queue type

    Events & Actions only supports the standard queue type.

  3. Click the Create queue bottom-right button to save the setup.

  4. Copy the queue URL (URL field) to use it later in the Admin Portal.

Create an IAM role

Create an IAM role with write permissions to SQS.

  1. Log into your AWS Identity and Access Management account and head to Roles under the Access Management section in the left navigation.

  2. Click the top-right Create role button and give the role a meaningful name.

  3. In Step 1 of the role configuration screen, mark AWS account as Trusted entity type.

  4. In the An AWS account section, select Another AWS account and put 535363102202 (PubNub account number) as the Account ID. This way, the role's trust relationship allows our service to assume your role to write to the queue.

  5. Under Options, mark Require external ID and paste your app's subscribe key from the Admin Portal in the External ID field.

This step is optional but recommended by the AWS best practices. This way, you assign the app's subscribe key as an external ID that would assume the newly created role in all PubNub calls. See the related Access policy details:

"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::535363102202:root"
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<PubNub subscribe key>"
show all 17 lines

Click Next to move to the second configuration step.

  1. In Step 2 of the role configuration screen, create a new permissions policy that gives write access to SQS (look for the sqs:SendMessage policy permission). To do that, click the Create policy button and switch to the JSON tab. Paste the following snippet changing the Resource to your SQS queue ARN.
"Statement": [
"Action": [
"Effect": "Allow",
"Resource": "<ARN of customer's SQS queue>"
"Version": "2012-10-17"

Finish the policy configuration by following the wizard steps.

  1. When you've created the policy, select it from the list and click Next to move to the third configuration step.

  2. In Step 3 of the role configuration screen, name the role and click Create Role to confirm the changes.

  3. Search for the role and copy its ARN (ARN field) to use it later in the Admin Portal.

Configure Admin Portal

  1. In the Events & Actions view on the Admin Portal, create an action by clicking on the + Add Action button.

  2. Click Amazon SQS to select it as the action type.

  3. Paste both Amazon URL (queue) and ARN (role) values under the Queue URL and Role ARN fields.

  4. Optionally, enable and configure retries through the SQS retry option.

  5. Pair your action with an event listener without leaving the Actions view. To do this, click the Add event listener button and select an existing event listener or create a new one.

  6. Save your newly created action by clicking the Save changes button.

Last updated on