Can we publish SNS PushNotification to crossaccount endpoints?

Question

We have Mobile PlatformApplication arns in AWS account-1, and we can publish PNs to endpoint arns with our java-service in the same account.
But when trying to publish PNs with our java-service in different AWS accounts, we get `com.amazonaws.services.sns.model.AuthorizationErrorException`.

For Example:
My PlatformApplication arn => `arn:aws:sns:::app/GCM/my-mobile-app-name`

Once user register his device against this PlatfromApplication arn, a device endpoint will be created as => `arn:aws:sns:::endpoint/GCM/my-mobile-app-name/`

So, while publishing message to above endpoint arn from different AWS account resulting in `AuthorizationErrorException`

There seems no option to provide a resource-based policy for these SNS PlatformApplications (SNS PlatformApplications are not regular SNS topics). How can we solve this?

Thanks in Advance!

Answer

Hello,

You need to create an IAM role in the source account to allow publish message to the SNS topic in the target account. In the target account, create a SNS resource based policy to allow access to the IAM role which was created in the source account. Please refer the below doc if it helps.

https://aws.amazon.com/premiumsupport/knowledge-center/sns-cross-account-ec2-instance-iam-role/

Can we publish SNS PushNotification to crossaccount endpoints?

Relevanter Inhalt