Is Cross-Account Role Assumption Possible for AWS IoT Rule Republish Action?


Hello AWS Community,

I'm currently working on a project where I need to use an AWS IoT rule to republish messages to a thing shadow in a different AWS account. My main question is regarding the feasibility and correct implementation of such a setup.

Here's what I'm trying to accomplish:

Source Account: I have an AWS IoT rule that triggers on receiving certain messages. Target Account: This account owns the thing shadow that I want to update. Objective: The goal is to have the IoT rule in the source account republish messages directly to the thing shadow in the target account. The challenge I'm facing involves setting up cross-account permissions correctly, particularly around assuming a role in the target account that has the necessary permissions to update the thing shadow.

Here are my specific questions:

Is it possible for an AWS IoT rule to assume a role in another AWS account as part of its action (specifically the Republish action)? If so, what would be the recommended approach to set up the necessary IAM roles and permissions in both the source and target accounts? Are there any specific configurations or considerations to keep in mind when setting up the IoT rule and the IAM roles for this cross-account communication? Any insights, experiences, or guidance on this would be greatly appreciated. If anyone has implemented a similar setup or can point me towards relevant documentation or examples, it would be incredibly helpful.

Thank you in advance for your assistance!

asked 5 months ago166 views
1 Answer


  1. The iot rule can not send the message to another account iot topic directly now.
  2. Maybe you can configure the A account lambda function for the A account iot rule action And the lambda sends the message to another account B iot topic.
    permission and policy:
    1. Your lambda A resource base policy needs to allow the A account iot to invoke.
    2. Your B account needs to create a cert and policy(such as Python, you can quickly start in your iot console "Amazon IoT-> Connect-> one device").
  3. Then the architecture is below:
    A iot rule-> A lambda -> x509 cert -> send msg to B iot
profile picture
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions