Publish SMS messages through master account in AWS

Question

We have a multi-account setup on AWS. There is a master account and separated accounts for dev, staging and prod. We have enabled sending SMS messages on the master account (exited the SMS sandbox).

I would like now to send sms message through the master account from the dev one. In a standard case, I would just publish a message to the correct ARN (and make sure earlier that proper permissions exist). However, while sending SMS messages, there is no ARN, so I am stuck. Is there a way to achieve it?

For the reference, this is how I can send a message on dev (with the sandbox mode on):

client = boto3.client("sns")
    try:
        client.publish(
            PhoneNumber=recipient,
            Message=message,
            MessageAttributes={
                'AWS.SNS.SMS.SenderID': {
                    'DataType': 'String',
                    'StringValue': sender
                }
            }
        )
    except botocore.exceptions.ClientError as error:  # noqa
        logger.error(f'An error occurred while sending SMS message: {error}')

Is there a way to target different account? I was thinking about providing a aws_access_key_id and aws_secret_access_key but maybe there is another way?

Answer 1

You should:

• Create an IAM Role in the master account that has permissions to send the SMS message, and a trust policy that allows the IAM Role to be 'assumed' from the child account
• Grant permission to the appropriate IAM User or IAM Role in the child account to assume the IAM Role in the master account
• The code would then call AssumeRole() to assume the IAM Role from the master account and then use the returned credentials to send the SMS message