AWS authentication
Delegate access to your AWS resources by creating an IAM role that the Ably AWS account can assume. This follows AWS best practices, as it avoids sharing access keys directly. Specify the role’s ARN, which grants Ably the necessary permissions in a secure manner. For more information, see the AWS guide on cross-account roles.
When using this scheme there are two steps you need to carry out:
Create a policy
The following sections describe how to create a policy for the three main AWS services that Ably integrations supports:
The following steps show you how to create a policy for AWS Lambda.
- In the IAM console sidebar select “Policies”.
- Click “Create Policy”.
- Click the JSON tab and enter the following JSON to configure the policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowInvokeLambdaFunction",
"Effect": "Allow",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:<YOUR_AWS_REGION>:<YOUR_AWS_ACCOUNT>:function:<YOUR_FUNCTION_NAME>"
]
}
]
}
CopyCopied!Note: You will need to replace <YOUR_AWS_REGION>, <YOUR_AWS_ACCOUNT>, and <YOUR_FUNCTION_NAME> with the AWS region that hosts your AWS Lambda function, your AWS account ID, and your AWS Lambda function name respectively.
- Click “Next: Tags”. You don’t need to add any tags.
- Click “Next: Review”.
- Enter a suitable name for your policy.
- Click “Create Policy”.
You have created a policy that grants the permissions required to invoke a Lambda function. You must now attach it to the role that you’ll specify in your Ably integration rule. The next step is to create the role.
The following steps show you how to create a policy for AWS SQS.
- In the IAM console sidebar select “Policies”.
- Click “Create Policy”.
- Click the JSON tab and enter the following JSON to configure the policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowReadWriteSQS",
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sqs:TagQueue",
"sqs:GetQueueUrl",
"sqs:ChangeMessageVisibility",
"sqs:DeleteMessageBatch",
"sqs:SendMessageBatch",
"sqs:UntagQueue",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:ListQueueTags",
"sqs:ChangeMessageVisibilityBatch"
],
"Resource": [
"arn:aws:sqs:<YOUR_AWS_REGION>:<YOUR_AWS_ACCOUNT>:<YOUR_QUEUE_NAME>"
]
}
]
}
CopyCopied!Note: You will need to replace <YOUR_AWS_REGION>, <YOUR_AWS_ACCOUNT>, and <YOUR_QUEUE_NAME> with the AWS region that hosts your SQS queue, your AWS account ID, and your SQS queue name respectively.
- Click “Next: Tags”. You don’t need to add any tags.
- Click “Next: Review”.
- Enter a suitable name for your policy.
- Click “Create Policy”.
You have created a policy that grants the permissions required to use an SQS queue. You must now attach it to the role that you’ll specify in your Ably integration rule. The next step is to create the role.
The following steps show you how to create a policy for AWS Kinesis.
- In the IAM console sidebar select “Policies”.
- Click “Create Policy”.
- Click the JSON tab and enter the following JSON to configure the policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadWriteToSingleStream",
"Effect": "Allow",
"Action": [
"kinesis:DescribeLimits",
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kinesis:ListTagsForStream",
"kinesis:MergeShards",
"kinesis:PutRecord",
"kinesis:PutRecords",
"kinesis:UpdateShardCount"
],
"Resource": [
"arn:aws:kinesis:<YOUR_AWS_REGION>:<YOUR_AWS_ACCOUNT>:stream/<YOUR_STREAM_NAME>"
]
}
]
}
CopyCopied!Note: You will need to replace <YOUR_AWS_REGION>, <YOUR_AWS_ACCOUNT> and <YOUR_STREAM_NAME> with the AWS region that hosts your Kinesis stream, your AWS account ID, and your Kinesis stream name respectively.
- Click “Next: Tags”. You don’t need to add any tags.
- Click “Next: Review”.
- Enter a suitable name for your policy.
- Click “Create Policy”.
You have created a policy that grants the permissions required to use a Kinesis stream. You must now attach it to the role that you’ll specify in your Ably integration rule. The next step is to create the role.
Create a role
Create an IAM role as follows:
- In the AWS IAM console, click “Roles” in the sidebar and then click the “Create Role” button.
- For type of trusted entity select “Another AWS account”.
- For Account ID specify 203461409171. This is the Ably AWS account.
- Click the “Require external ID checkbox” and then enter an external ID of
<Your_Ably_Account_ID>.<Your_Ably_app_ID>. This is also displayed when you create an Ably AWS Lambda, AWS Kinesis, or AWS SQS integration rule and select the “ARN of an assumable role” radio button in the create rule dialog. Learn more about finding your App ID here. - Click “Next: Permissions”.
- Now select the policy you created earlier to attach to this role. You can type the name of your policy into the “Filter policies” search box.
Then ensure the checkbox for the policy is selected.
- Click “Next: Tags”.
- You don’t need to add tags so click “Next: Review”.
- Enter a suitable name for your role.
- Click “Create Role”.
When setting up an Ably integration rule, you can copy the ARN for your rule using the button provided.
Using the ARN of the role
When creating the Ably integration rule, enter the ARN of the rule created into the “Assume Role ARN“ text field of the rule creation dialog.
Testing the rule
You can test your Ably rule by clicking “Test rule” in the Dashboard. If the test returns success you have the necessary AWS permissions in place and are correctly configured.