fix(pipelines): CodeBuild Action role can be assumed by too many identities (#25318)

Backport of #25316.

CDK Pipelines creates a single Role which has permissions to start all CodeBuild jobs. The AssumeRolePolicy for this Role contained a mistake, which allowed all roles in the same account with appropriate sts:AssumeRole permissions to assume the Role.

Fix this by limiting the AssumeRolePolicy to the actual pipeline's execution role, which we have so we can reference directly.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: rix0rrr

packages/@aws-cdk/pipelines/lib/codepipeline/private/codebuild-factory.ts

@@ -330,9 +330,7 @@ export class CodeBuildFactory implements ICodePipelineActionFactory {
     const actionRole = this.props.actionRole
       ?? options.pipeline.node.tryFindChild(actionRoleCid) as iam.IRole
       ?? new iam.Role(options.pipeline, actionRoleCid, {
-        assumedBy: new iam.PrincipalWithConditions(new iam.AccountRootPrincipal(), {
-          Bool: { 'aws:ViaAWSService': iam.ServicePrincipal.servicePrincipalName('codepipeline.amazonaws.com') },
-        }),
+        assumedBy: options.pipeline.pipeline.role,
       });
 
     stage.addAction(new codepipeline_actions.CodeBuildAction({

packages/@aws-cdk/pipelines/test/codepipeline/codepipeline.test.ts

@@ -149,12 +149,7 @@ test('CodeBuild action role has the right AssumeRolePolicyDocument', () => {
         {
           Action: 'sts:AssumeRole',
           Principal: {
-            AWS: { 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::123pipeline:root']] },
-          },
-          Condition: {
-            Bool: {
-              'aws:ViaAWSService': 'codepipeline.amazonaws.com',
-            },
+            AWS: { 'Fn::GetAtt': ['CdkPipelineRoleC09C4D44', 'Arn'] },
           },
         },
       ],

packages/@aws-cdk/pipelines/test/newpipeline-with-vpc.integ.snapshot/PipelineStack.assets.json

@@ -1,15 +1,15 @@
 {
-  "version": "19.0.0",
+  "version": "21.0.0",
   "files": {
-    "09ed6a107711fc77b4417fe759eedb1920ea48ea07d68490b9973255f017840d": {
+    "a847a27eed9056ff8ff8fb030b376a5a8f1cd0c253c0918cd6ed1c23ad26b3ed": {
       "source": {
         "path": "PipelineStack.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "09ed6a107711fc77b4417fe759eedb1920ea48ea07d68490b9973255f017840d.json",
+          "objectKey": "a847a27eed9056ff8ff8fb030b376a5a8f1cd0c253c0918cd6ed1c23ad26b3ed.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

packages/@aws-cdk/pipelines/test/newpipeline-with-vpc.integ.snapshot/PipelineStack.template.json

@@ -1265,27 +1265,12 @@
      "Statement": [
       {
        "Action": "sts:AssumeRole",
-       "Condition": {
-        "Bool": {
-         "aws:ViaAWSService": "codepipeline.amazonaws.com"
-        }
-       },
        "Effect": "Allow",
        "Principal": {
         "AWS": {
-         "Fn::Join": [
-          "",
-          [
-           "arn:",
-           {
-            "Ref": "AWS::Partition"
-           },
-           ":iam::",
-           {
-            "Ref": "AWS::AccountId"
-           },
-           ":root"
-          ]
+         "Fn::GetAtt": [
+          "PipelineRoleB27FAA37",
+          "Arn"
          ]
         }
        }

packages/@aws-cdk/pipelines/test/newpipeline-with-vpc.integ.snapshot/assembly-PipelineStack-Beta/PipelineStackBetaStack1E6541489.assets.json

@@ -1,5 +1,5 @@
 {
-  "version": "19.0.0",
+  "version": "21.0.0",
   "files": {
     "8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5": {
       "source": {

packages/@aws-cdk/pipelines/test/newpipeline-with-vpc.integ.snapshot/assembly-PipelineStack-Beta/cdk.out

@@ -1 +1 @@
-{"version":"19.0.0"}
+{"version":"21.0.0"}

packages/@aws-cdk/pipelines/test/newpipeline-with-vpc.integ.snapshot/assembly-PipelineStack-Beta/manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "19.0.0",
+  "version": "21.0.0",
   "artifacts": {
     "PipelineStackBetaStack1E6541489.assets": {
       "type": "cdk:asset-manifest",
@@ -39,16 +39,16 @@
             "type": "aws:cdk:logicalId",
             "data": "OtherQueue60B686DC",
             "trace": [
-              "new Queue (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/aws-sqs/lib/queue.js:89:23)",
+              "new Queue (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/aws-sqs/lib/queue.js:88:23)",
               "new AppStage (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/pipelines/test/integ.newpipeline-with-vpc.js:39:9)",
               "new PipelineStack (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/pipelines/test/integ.newpipeline-with-vpc.js:26:27)",
               "Object.<anonymous> (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/pipelines/test/integ.newpipeline-with-vpc.js:47:1)",
-              "Module._compile (node:internal/modules/cjs/loader:1105:14)",
-              "Module._extensions..js (node:internal/modules/cjs/loader:1159:10)",
-              "Module.load (node:internal/modules/cjs/loader:981:32)",
-              "Module._load (node:internal/modules/cjs/loader:827:12)",
-              "Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:77:12)",
-              "node:internal/main/run_main_module:17:47"
+              "Module._compile (node:internal/modules/cjs/loader:1159:14)",
+              "Module._extensions..js (node:internal/modules/cjs/loader:1213:10)",
+              "Module.load (node:internal/modules/cjs/loader:1037:32)",
+              "Module._load (node:internal/modules/cjs/loader:878:12)",
+              "Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)",
+              "node:internal/main/run_main_module:23:47"
             ]
           }
         ],
@@ -57,26 +57,26 @@
             "type": "aws:cdk:logicalId",
             "data": "BootstrapVersion",
             "trace": [
-              "addBootstrapVersionRule (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/core/lib/stack-synthesizers/default-synthesizer.js:285:19)",
-              "DefaultStackSynthesizer.synthesize (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/core/lib/stack-synthesizers/default-synthesizer.js:175:13)",
+              "addBootstrapVersionRule (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/core/lib/stack-synthesizers/default-synthesizer.js:282:19)",
+              "DefaultStackSynthesizer.synthesize (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/core/lib/stack-synthesizers/default-synthesizer.js:172:13)",
               "/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/core/lib/private/synthesis.js:155:35",
               "visit (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/core/lib/private/synthesis.js:200:9)",
               "visit (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/core/lib/private/synthesis.js:197:9)",
               "synthesizeTree (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/core/lib/private/synthesis.js:148:5)",
               "Object.synthesize (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/core/lib/private/synthesis.js:33:5)",
-              "AppStage.synth (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/core/lib/stage.js:105:41)",
+              "AppStage.synth (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/core/lib/stage.js:104:41)",
               "Object.pipelineSynth (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/pipelines/lib/private/construct-internals.js:25:18)",
-              "Function.fromStage (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/pipelines/lib/blueprint/stage-deployment.js:44:48)",
-              "Wave.addStage (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/pipelines/lib/blueprint/wave.js:49:56)",
+              "StageDeployment.fromStage (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/pipelines/lib/blueprint/stage-deployment.js:42:48)",
+              "Wave.addStage (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/pipelines/lib/blueprint/wave.js:48:56)",
               "CodePipeline.addStage (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/pipelines/lib/main/pipeline-base.js:69:46)",
               "new PipelineStack (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/pipelines/test/integ.newpipeline-with-vpc.js:26:18)",
               "Object.<anonymous> (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/pipelines/test/integ.newpipeline-with-vpc.js:47:1)",
-              "Module._compile (node:internal/modules/cjs/loader:1105:14)",
-              "Module._extensions..js (node:internal/modules/cjs/loader:1159:10)",
-              "Module.load (node:internal/modules/cjs/loader:981:32)",
-              "Module._load (node:internal/modules/cjs/loader:827:12)",
-              "Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:77:12)",
-              "node:internal/main/run_main_module:17:47"
+              "Module._compile (node:internal/modules/cjs/loader:1159:14)",
+              "Module._extensions..js (node:internal/modules/cjs/loader:1213:10)",
+              "Module.load (node:internal/modules/cjs/loader:1037:32)",
+              "Module._load (node:internal/modules/cjs/loader:878:12)",
+              "Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)",
+              "node:internal/main/run_main_module:23:47"
             ]
           }
         ],
@@ -85,26 +85,26 @@
             "type": "aws:cdk:logicalId",
             "data": "CheckBootstrapVersion",
             "trace": [
-              "addBootstrapVersionRule (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/core/lib/stack-synthesizers/default-synthesizer.js:293:5)",
-              "DefaultStackSynthesizer.synthesize (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/core/lib/stack-synthesizers/default-synthesizer.js:175:13)",
+              "addBootstrapVersionRule (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/core/lib/stack-synthesizers/default-synthesizer.js:290:5)",
+              "DefaultStackSynthesizer.synthesize (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/core/lib/stack-synthesizers/default-synthesizer.js:172:13)",
               "/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/core/lib/private/synthesis.js:155:35",
               "visit (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/core/lib/private/synthesis.js:200:9)",
               "visit (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/core/lib/private/synthesis.js:197:9)",
               "synthesizeTree (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/core/lib/private/synthesis.js:148:5)",
               "Object.synthesize (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/core/lib/private/synthesis.js:33:5)",
-              "AppStage.synth (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/core/lib/stage.js:105:41)",
+              "AppStage.synth (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/core/lib/stage.js:104:41)",
               "Object.pipelineSynth (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/pipelines/lib/private/construct-internals.js:25:18)",
-              "Function.fromStage (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/pipelines/lib/blueprint/stage-deployment.js:44:48)",
-              "Wave.addStage (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/pipelines/lib/blueprint/wave.js:49:56)",
+              "StageDeployment.fromStage (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/pipelines/lib/blueprint/stage-deployment.js:42:48)",
+              "Wave.addStage (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/pipelines/lib/blueprint/wave.js:48:56)",
               "CodePipeline.addStage (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/pipelines/lib/main/pipeline-base.js:69:46)",
               "new PipelineStack (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/pipelines/test/integ.newpipeline-with-vpc.js:26:18)",
               "Object.<anonymous> (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/@aws-cdk/pipelines/test/integ.newpipeline-with-vpc.js:47:1)",
-              "Module._compile (node:internal/modules/cjs/loader:1105:14)",
-              "Module._extensions..js (node:internal/modules/cjs/loader:1159:10)",
-              "Module.load (node:internal/modules/cjs/loader:981:32)",
-              "Module._load (node:internal/modules/cjs/loader:827:12)",
-              "Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:77:12)",
-              "node:internal/main/run_main_module:17:47"
+              "Module._compile (node:internal/modules/cjs/loader:1159:14)",
+              "Module._extensions..js (node:internal/modules/cjs/loader:1213:10)",
+              "Module.load (node:internal/modules/cjs/loader:1037:32)",
+              "Module._load (node:internal/modules/cjs/loader:878:12)",
+              "Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)",
+              "node:internal/main/run_main_module:23:47"
             ]
           }
         ]

packages/@aws-cdk/pipelines/test/newpipeline-with-vpc.integ.snapshot/cdk.out

@@ -1 +1 @@
-{"version":"19.0.0"}
+{"version":"21.0.0"}

packages/@aws-cdk/pipelines/test/newpipeline-with-vpc.integ.snapshot/integ.json

@@ -1,5 +1,5 @@
 {
-  "version": "19.0.0",
+  "version": "21.0.0",
   "testCases": {
     "integ.newpipeline-with-vpc": {
       "stacks": [

packages/@aws-cdk/pipelines/test/newpipeline-with-vpc.integ.snapshot/manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "19.0.0",
+  "version": "21.0.0",
   "artifacts": {
     "assembly-PipelineStack-Beta": {
       "type": "cdk:cloud-assembly",
@@ -30,7 +30,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/09ed6a107711fc77b4417fe759eedb1920ea48ea07d68490b9973255f017840d.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/a847a27eed9056ff8ff8fb030b376a5a8f1cd0c253c0918cd6ed1c23ad26b3ed.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [