Grant Use-STSRole (sts:AssumeRole) permission to any CodeBuild project

274 Views Asked by Philip Pittle At 12 April 2025 at 12:30

I have several AWS CodeBuild projects that use Use-STSRole to Assume Role of a more privlidged role (readwrite) in order to then read a secret from Secrets Manager.

I have configured the readwrite role's Trust Relationship as:

{
  "Version": "2012-10-17",
  "Statement": [    
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "codebuild.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

When my CodeBuild project runs I get an error:

Use-STSRole: C:\example-stack-overflow-question\common\utility.psm1:6
Line |
   6 |      Use-STSRole -RoleArn $RoleArn -RoleSessionName $RoleSessionName | …
     |      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | User:
     | arn:aws:sts::112233445566:assumed-role/aws-lambda-dotnet-powershe-SignProjectRole5EF6D320-X2IF2P0P1J4/AWSCodeBuild-0d189fc5-f3b6-440a-bed6-ab54ed5f6c08 
     | is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::112233445566:role/readwrite

How can I configure my IAM role readwrite to allow any CodeBuild project to Assume that Role via Use-STSRole?

Original Q&A

There are 1 best solutions below

Philip Pittle On 28 April 2021 at 22:02

I wasn't able to get the restriction for just codebuild to work. Instead I ended up allowing the AssumeRole action to anything in my account:

   {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::112233445566:root"
      },
      "Action": "sts:AssumeRole"
    }

So now my CodeBuild projects can use the Use-STSRole cmdlet

Grant Use-STSRole (sts:AssumeRole) permission to any CodeBuild project

There are 1 best solutions below

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-IAM

Related Questions in AWS-CODEBUILD

Related Questions in AWS-POWERSHELL

Trending Questions

Popular # Hahtags

Popular Questions