fix(pipelines): CodeBuild Action role can be assumed by too many identities (#25316)

CDK Pipelines creates a single Role which has permissions to start all
CodeBuild jobs. The AssumeRolePolicy for this Role contained a mistake,
which allowed all roles in the same account with appropriate
`sts:AssumeRole` permissions to assume the Role.

Fix this by limiting the AssumeRolePolicy to the actual pipeline's
execution role, which we have so we can reference directly.

Author: rix0rrr

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.newpipeline-with-codebuild-logging.js.snapshot/PipelineStack.assets.json

@@ -1,15 +1,15 @@
 {
   "version": "31.0.0",
   "files": {
-    "1576b28912dd95ee8b60a0f773b1c888d1c0340a29d6adb4b2a2eb43dfcaffa9": {
+    "89f400a7db76ac169a14192582d534dc488cd97e71a91109a8cb5611063ed995": {
       "source": {
         "path": "PipelineStack.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "1576b28912dd95ee8b60a0f773b1c888d1c0340a29d6adb4b2a2eb43dfcaffa9.json",
+          "objectKey": "89f400a7db76ac169a14192582d534dc488cd97e71a91109a8cb5611063ed995.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.newpipeline-with-codebuild-logging.js.snapshot/PipelineStack.template.json

@@ -2142,27 +2142,12 @@
      "Statement": [
       {
        "Action": "sts:AssumeRole",
-       "Condition": {
-        "Bool": {
-         "aws:ViaAWSService": "codepipeline.amazonaws.com"
-        }
-       },
        "Effect": "Allow",
        "Principal": {
         "AWS": {
-         "Fn::Join": [
-          "",
-          [
-           "arn:",
-           {
-            "Ref": "AWS::Partition"
-           },
-           ":iam::",
-           {
-            "Ref": "AWS::AccountId"
-           },
-           ":root"
-          ]
+         "Fn::GetAtt": [
+          "PipelineRoleB27FAA37",
+          "Arn"
          ]
         }
        }

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.newpipeline-with-codebuild-logging.js.snapshot/manifest.json

@@ -66,7 +66,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/1576b28912dd95ee8b60a0f773b1c888d1c0340a29d6adb4b2a2eb43dfcaffa9.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/89f400a7db76ac169a14192582d534dc488cd97e71a91109a8cb5611063ed995.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.newpipeline-with-codebuild-logging.js.snapshot/tree.json

@@ -2701,27 +2701,12 @@
                           "Statement": [
                             {
                               "Action": "sts:AssumeRole",
-                              "Condition": {
-                                "Bool": {
-                                  "aws:ViaAWSService": "codepipeline.amazonaws.com"
-                                }
-                              },
                               "Effect": "Allow",
                               "Principal": {
                                 "AWS": {
-                                  "Fn::Join": [
-                                    "",
-                                    [
-                                      "arn:",
-                                      {
-                                        "Ref": "AWS::Partition"
-                                      },
-                                      ":iam::",
-                                      {
-                                        "Ref": "AWS::AccountId"
-                                      },
-                                      ":root"
-                                    ]
+                                  "Fn::GetAtt": [
+                                    "PipelineRoleB27FAA37",
+                                    "Arn"
                                   ]
                                 }
                               }

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.newpipeline-with-cross-account-keys.js.snapshot/PipelineStack.assets.json

@@ -1,15 +1,15 @@
 {
   "version": "31.0.0",
   "files": {
-    "5e7bb85d81710361d2e2b5fba94f50ef4141aa3fc151119f5b8d5d786c9c149e": {
+    "d012d0452ea703b36e1f5a5e8e65093b04658d40d4e28e97b1fca923b2a0b119": {
       "source": {
         "path": "PipelineStack.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "5e7bb85d81710361d2e2b5fba94f50ef4141aa3fc151119f5b8d5d786c9c149e.json",
+          "objectKey": "d012d0452ea703b36e1f5a5e8e65093b04658d40d4e28e97b1fca923b2a0b119.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.newpipeline-with-cross-account-keys.js.snapshot/PipelineStack.template.json

@@ -2202,27 +2202,12 @@
      "Statement": [
       {
        "Action": "sts:AssumeRole",
-       "Condition": {
-        "Bool": {
-         "aws:ViaAWSService": "codepipeline.amazonaws.com"
-        }
-       },
        "Effect": "Allow",
        "Principal": {
         "AWS": {
-         "Fn::Join": [
-          "",
-          [
-           "arn:",
-           {
-            "Ref": "AWS::Partition"
-           },
-           ":iam::",
-           {
-            "Ref": "AWS::AccountId"
-           },
-           ":root"
-          ]
+         "Fn::GetAtt": [
+          "PipelineRoleB27FAA37",
+          "Arn"
          ]
         }
        }

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.newpipeline-with-cross-account-keys.js.snapshot/manifest.json

@@ -66,7 +66,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/5e7bb85d81710361d2e2b5fba94f50ef4141aa3fc151119f5b8d5d786c9c149e.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d012d0452ea703b36e1f5a5e8e65093b04658d40d4e28e97b1fca923b2a0b119.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.newpipeline-with-cross-account-keys.js.snapshot/tree.json

@@ -2777,27 +2777,12 @@
                           "Statement": [
                             {
                               "Action": "sts:AssumeRole",
-                              "Condition": {
-                                "Bool": {
-                                  "aws:ViaAWSService": "codepipeline.amazonaws.com"
-                                }
-                              },
                               "Effect": "Allow",
                               "Principal": {
                                 "AWS": {
-                                  "Fn::Join": [
-                                    "",
-                                    [
-                                      "arn:",
-                                      {
-                                        "Ref": "AWS::Partition"
-                                      },
-                                      ":iam::",
-                                      {
-                                        "Ref": "AWS::AccountId"
-                                      },
-                                      ":root"
-                                    ]
+                                  "Fn::GetAtt": [
+                                    "PipelineRoleB27FAA37",
+                                    "Arn"
                                   ]
                                 }
                               }

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.newpipeline-with-file-system-locations.js.snapshot/PipelinesFileSystemLocations.assets.json

@@ -14,15 +14,15 @@
         }
       }
     },
-    "f309a8e80b36ebcbdcf5a2b21a3f9db9f495923cdba98ac1eb744412dd7fe4a3": {
+    "4d38f6ff6bbae2e6b06331dacfc2d6f54ed5b26cd889839fa9a01d63f2a11b3a": {
       "source": {
         "path": "PipelinesFileSystemLocations.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "f309a8e80b36ebcbdcf5a2b21a3f9db9f495923cdba98ac1eb744412dd7fe4a3.json",
+          "objectKey": "4d38f6ff6bbae2e6b06331dacfc2d6f54ed5b26cd889839fa9a01d63f2a11b3a.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.newpipeline-with-file-system-locations.js.snapshot/PipelinesFileSystemLocations.template.json

@@ -1440,27 +1440,12 @@
      "Statement": [
       {
        "Action": "sts:AssumeRole",
-       "Condition": {
-        "Bool": {
-         "aws:ViaAWSService": "codepipeline.amazonaws.com"
-        }
-       },
        "Effect": "Allow",
        "Principal": {
         "AWS": {
-         "Fn::Join": [
-          "",
-          [
-           "arn:",
-           {
-            "Ref": "AWS::Partition"
-           },
-           ":iam::",
-           {
-            "Ref": "AWS::AccountId"
-           },
-           ":root"
-          ]
+         "Fn::GetAtt": [
+          "PipelineRoleB27FAA37",
+          "Arn"
          ]
         }
        }

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.newpipeline-with-file-system-locations.js.snapshot/manifest.json

@@ -24,7 +24,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/f309a8e80b36ebcbdcf5a2b21a3f9db9f495923cdba98ac1eb744412dd7fe4a3.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/4d38f6ff6bbae2e6b06331dacfc2d6f54ed5b26cd889839fa9a01d63f2a11b3a.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.newpipeline-with-file-system-locations.js.snapshot/tree.json

@@ -2085,27 +2085,12 @@
                           "Statement": [
                             {
                               "Action": "sts:AssumeRole",
-                              "Condition": {
-                                "Bool": {
-                                  "aws:ViaAWSService": "codepipeline.amazonaws.com"
-                                }
-                              },
                               "Effect": "Allow",
                               "Principal": {
                                 "AWS": {
-                                  "Fn::Join": [
-                                    "",
-                                    [
-                                      "arn:",
-                                      {
-                                        "Ref": "AWS::Partition"
-                                      },
-                                      ":iam::",
-                                      {
-                                        "Ref": "AWS::AccountId"
-                                      },
-                                      ":root"
-                                    ]
+                                  "Fn::GetAtt": [
+                                    "PipelineRoleB27FAA37",
+                                    "Arn"
                                   ]
                                 }
                               }

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.newpipeline-with-vpc.js.snapshot/PipelineStack.assets.json

@@ -1,15 +1,15 @@
 {
   "version": "31.0.0",
   "files": {
-    "dbefd7608e6caa1510bfb640277e8e0b94a8933d4dc658cc6b95ba3edfdd0906": {
+    "0a38575278954c57dc2282c4e3007815cca46595cdd0204557102de34dbcc818": {
       "source": {
         "path": "PipelineStack.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "dbefd7608e6caa1510bfb640277e8e0b94a8933d4dc658cc6b95ba3edfdd0906.json",
+          "objectKey": "0a38575278954c57dc2282c4e3007815cca46595cdd0204557102de34dbcc818.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.newpipeline-with-vpc.js.snapshot/PipelineStack.template.json

@@ -1273,27 +1273,12 @@
      "Statement": [
       {
        "Action": "sts:AssumeRole",
-       "Condition": {
-        "Bool": {
-         "aws:ViaAWSService": "codepipeline.amazonaws.com"
-        }
-       },
        "Effect": "Allow",
        "Principal": {
         "AWS": {
-         "Fn::Join": [
-          "",
-          [
-           "arn:",
-           {
-            "Ref": "AWS::Partition"
-           },
-           ":iam::",
-           {
-            "Ref": "AWS::AccountId"
-           },
-           ":root"
-          ]
+         "Fn::GetAtt": [
+          "PipelineRoleB27FAA37",
+          "Arn"
          ]
         }
        }

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.newpipeline-with-vpc.js.snapshot/manifest.json

@@ -24,7 +24,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/dbefd7608e6caa1510bfb640277e8e0b94a8933d4dc658cc6b95ba3edfdd0906.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/0a38575278954c57dc2282c4e3007815cca46595cdd0204557102de34dbcc818.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.newpipeline-with-vpc.js.snapshot/tree.json

@@ -1899,27 +1899,12 @@
                           "Statement": [
                             {
                               "Action": "sts:AssumeRole",
-                              "Condition": {
-                                "Bool": {
-                                  "aws:ViaAWSService": "codepipeline.amazonaws.com"
-                                }
-                              },
                               "Effect": "Allow",
                               "Principal": {
                                 "AWS": {
-                                  "Fn::Join": [
-                                    "",
-                                    [
-                                      "arn:",
-                                      {
-                                        "Ref": "AWS::Partition"
-                                      },
-                                      ":iam::",
-                                      {
-                                        "Ref": "AWS::AccountId"
-                                      },
-                                      ":root"
-                                    ]
+                                  "Fn::GetAtt": [
+                                    "PipelineRoleB27FAA37",
+                                    "Arn"
                                   ]
                                 }
                               }

packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.newpipeline.js.snapshot/PipelineStack.assets.json

@@ -1,15 +1,15 @@
 {
   "version": "31.0.0",
   "files": {
-    "bb6adc0f7fd12a7b804a73ec5f746450c3851c82569c4ab7a6e604d6778df985": {
+    "09becddcd85b905c424bc20286f676d6139b48124032aa86dd8848e147317752": {
       "source": {
         "path": "PipelineStack.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "bb6adc0f7fd12a7b804a73ec5f746450c3851c82569c4ab7a6e604d6778df985.json",
+          "objectKey": "09becddcd85b905c424bc20286f676d6139b48124032aa86dd8848e147317752.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }