Menu
Amazon Pinpoint
Developer Guide

IAM Role for Streaming Events to Kinesis

Amazon Pinpoint can automatically send app usage data, or event data, from your app to an Kinesis stream or Amazon Kinesis Firehose delivery stream in your AWS account. Before Amazon Pinpoint can begin streaming the event data, you must delegate the required permissions to Amazon Pinpoint.

If you use the console to set up event streaming, Amazon Pinpoint automatically creates an AWS Identity and Access Management (IAM) role with the required permissions. For more information, see Streaming Amazon Pinpoint Events to Amazon Kinesis in the Amazon Pinpoint User Guide.

If you want to create the role manually, attach the following policies to the role:

  • A permissions policy that allows Amazon Pinpoint to send records to your stream.

  • A trust policy that allows Amazon Pinpoint to assume the role.

For more information about IAM roles, see IAM Roles in the IAM User Guide.

After you create the role, you can configure Amazon Pinpoint to automatically send events to your stream. For more information, see Streaming Amazon Pinpoint Events to Kinesis.

Permissions Policies

To allow Amazon Pinpoint to send event data to your stream, attach one of the following policies to the role.

Amazon Kinesis Streams

The following policy allows Amazon Pinpoint to send event data to an Kinesis stream.

Copy
{ "Version": "2012-10-17", "Statement": { "Action": [ "kinesis:PutRecords", "kinesis:DescribeStream" ], "Effect": "Allow", "Resource": [ "arn:aws:kinesis:region:account-id:stream/stream-name" ] } }

Amazon Kinesis Firehose

The following policy allows Amazon Pinpoint to send event data to a Kinesis Firehose delivery stream.

Copy
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "firehose:PutRecordBatch", "firehose:DescribeDeliveryStream" ], "Resource": [ "arn:aws:firehose:region:account-id:deliverystream/delivery-stream-name" ] } }

Trust Policy

To allow Amazon Pinpoint to assume the IAM role and perform the actions allowed by the permissions policy, attach the following trust policy to the role:

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "pinpoint.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

Creating the IAM Role (AWS CLI)

Complete the following steps to create the IAM role by using the AWS Command Line Interface (AWS CLI).

If you have not installed the AWS CLI, see Getting Set Up with the AWS Command Line Interface in the AWS Command Line Interface User Guide.

To create the role by using the IAM console, see Setting up Event Streaming in the Amazon Pinpoint User Guide.

To create the IAM role by using the AWS CLI

  1. Create a JSON file that contains the trust policy for your role, and save the file locally. You can copy the trust policy provided in this topic.

  2. Use the create-role command to create the role and attach the trust policy:

    Copy
    aws iam create-role --role-name PinpointEventStreamRole --assume-role-policy-document file://PinpointEventStreamTrustPolicy.json

    Following the file:// prefix, specify the path to the JSON file that contains the trust policy.

    When you run this command, the AWS CLI prints the following output in your terminal:

    Copy
    { "Role": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "pinpoint.amazonaws.com" } } ] }, "RoleId": "AIDACKCEVSQ6C2EXAMPLE", "CreateDate": "2017-02-28T18:02:48.220Z", "RoleName": "PinpointEventStreamRole", "Path": "/", "Arn": "arn:aws:iam::111122223333:role/PinpointEventStreamRole" } }
  3. Create a JSON file that contains the permissions policy for your role, and save the file locally. You can copy one of the policies provided in the Permissions Policies section.

  4. Use the put-role-policy command to attach the permissions policy to the role:

    Copy
    aws iam put-role-policy --role-name PinpointEventStreamRole --policy-name PinpointEventStreamPermissionsPolicy --policy-document file://PinpointEventStreamPermissionsPolicy.json

    Following the file:// prefix, specify the path to the JSON file that contains the permissions policy.