When adding a Reactor rule for an AWS endpoint (e.g. a Reactor Events rule for an AWS Lambda function, or a Reactor Firehose rule for AWS Kinesis or AWS SQS), you can choose one of two ways to authenticate Ably to invoke your function or publish to your kinesis stream:


  1. Credentials
  2. ARN of an assumable role


1. Credentials


These are a set of AWS credentials (in AWS terminology, an 'access key id' and a 'secret access key') of an AWS IAM user which has permissions to invoke your function, publish to your AWS SQS queue or AWS Kinesis stream, etc.


This is the simplest, least error-prone way, and is recommended for most people. If you're not sure which way to use, use credentials.


2. ARN of an assumable role


This way lets you delegate access to resources on your account using an IAM role that Ably can assume, avoiding the need to share user credentials with Ably. See http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html .


To do this, create an IAM role with a trust policy specifying an account number of 203461409171 as the Principal, and an externalId condition that equals your account ID and appId joined with a period. (This will be shown in the rule creation dialogue once you select this authentication method).


{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Principal": {"AWS": "203461409171"},
    "Condition": {"StringEquals": {"sts:ExternalId": "<accountID>.<appId>"}}
  }
}


and give that role permissions to invoke your function, publish to your AWS Kinesis stream or AWS SQS Queue, etc.