What I'm trying to do is the following:
- CodeBuild assumes a role
- This assumed role then assumes a role in a different account
- The last role retrieves an SSM parameter in a different account
To retrieve an SSM parameter with a regular account is possible: set sts:AssumeRole to Allow for the given account, e.g. for principal:
arn:aws:sts::xxxxxxxxxxxx:assumed-role/power-user/role-session-name
However, when CodeBuild assumes the role in step 1, there is no control over the role-session-name, which will differ between each run of CodeBuild. It will look something like this:
arn:aws:sts::xxxxxxxxxxxx:assumed-role/codebuild-role/AWSCodeBuild-12345678-1234-4321-1234-01234567890a
This is unfortunate, as sts:AssumeRole does not allow for wildcards in the principals specified.
Adding codebuild.amazonaws.com as a Service-type principal does not work either, as it is not the CodeBuild service itself assuming the final role, but the role it has assumed in step 1.
Is there a way to either change the role-session-name, or assume the role in a different way?