Cross account access with IAM - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Cross account access with IAM

Amazon IoT Core allows you to enable a principal to publish or subscribe to a topic that is defined in an Amazon Web Services account not owned by the principal. You configure cross account access by creating an IAM policy and IAM role and then attaching the policy to the role.

First, create a customer managed IAM policy as described in Creating IAM Policies, just like you would for other users and certificates in your Amazon Web Services account.

For devices registered in Amazon IoT Core registry, the following policy grants permission to devices connect to Amazon IoT Core using a client ID that matches the device's thing name and to publish to the my/topic/thing-name where thing-name is the device's thing name:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:Connect"
            ],
            "Resource": ["arn:aws:iot:us-east-1:123456789012:client/${iot:Connection.Thing.ThingName}"]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iot:Publish"
            ],
            "Resource": ["arn:aws:iot:us-east-1:123456789012:topic/my/topic/${iot:Connection.Thing.ThingName}"],
        }
    ]
}

For devices not registered in Amazon IoT Core registry, the following policy grants permission to a device to use the thing name client1 registered in your account's (123456789012) Amazon IoT Core registry to connect to Amazon IoT Core and to publish to a client ID-specific topic whose name is prefixed with my/topic/:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:Connect"
            ],
            "Resource": [
                "arn:aws:iot:us-east-1:123456789012:client/client1"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iot:Publish"
            ],
            "Resource": [
                "arn:aws:iot:us-east-1:123456789012:topic/my/topic/${iot:ClientId}"
            ]
        }
    ]
}

Next, follow the steps in Creating a role to delegate permissions to an IAM user. Enter the account ID of the Amazon Web Services account with which you want to share access. Then, in the final step, attach the policy you just created to the role. If, at a later time, you need to modify the Amazon account ID to which you are granting access, you can use the following trust policy format to do so: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": { 
                "AWS": "arn:aws:iam:us-east-1:567890123456:user/MyUser"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}