Authenticating using IoT certificate in one account to access API Gateway/Lambda defined in another (sandbox) account

Question

Hello!

How to implement IoT certificate authentication defined in one account (parent account) to access resources like HTTP API Gateway/Lambda defined in another (sandbox) account.
I would like to implement the idea outlined here https://aws.amazon.com/blogs/security/how-to-eliminate-the-need-for-hardcoded-aws-credentials-in-devices-by-using-the-aws-iot-credentials-provider/ but access API Gateway defined in sandbox account instead of direct access DynamoDB in parent account.
Authentication to access single account resources can be implemented with "iot:AssumeRoleWithCertificate" but this idea does not work if referenced policy resides in another account.
Also tried to reference a parent account policy that allows "execute-api:Invoke" with ARN to sandbox account API Gateway, this allows to get scoped credentials but executing signed HTTPS request fails with the status 403 "Forbidden".
Existing IoT registrations (things, certificates) should remains.

Thank you!

Accepted Answer

You will not be able directly assume a role in a different account than in the parent account.
You need to delegate the role assumption, basically assume a role in parent account, get credentials on IoT Device. Use these credentials to assume a new role in sandbox account. Use the new credentials to call the AWS Service in the sandbox account.
The steps are outlined here: 
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

Authenticating using IoT certificate in one account to access API Gateway/Lambda defined in another (sandbox) account

Relevant content