CodeBuild is not authorized to perform: sts:AssumeRole with condition

Question

I am using Terraform to deploy a service role for CodeBuild using a trust policy from this guide.

The service role mentioned in the guide set conditions on the trust policy to avoid the confused deputy problem, but with those conditions CodeBuild is not able to assume the role with this error:

CodeBuild is not authorized to perform: sts:AssumeRole on arn:aws:iam::<account-ID>:role/<my-role>

Without the conditions everything works fine.

Any suggestions?

---

Trust policy from the guide:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "codebuild.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "<account-ID>"
        },
        "ArnLike": {
          "aws:SourceArn": "arn:aws:codebuild:<region-ID>:<account-ID>:project/<project-name>"
        }
      }
    }
  ]
}

Generated trust policy in my role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "codebuild.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "<account-ID>"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:codebuild:us-west-2:<account-ID>:project/<my-project>"
                }
            }
        }
    ]
}

Answer 1

You need to replace <account-ID> with your actual AWS account numeric ID and <my-project> with the CodeBuild project's name, the one that should be allowed to assume that role.