Hello, a problem for AWS gurus here. • I have two aws accounts. _*Account1*_ and . . .

Afraz Khan:
Hello, a problem for AWS gurus here.
• I have two aws accounts. Account1 and Account2.
Account1 has a CodeBuild project that is supposed to update some resources in Account2.
• I have created a crossaccount IAM role in Account2 for that purpose.
• I am trying to attach the above crossaccount role to the CodeBuild project in Account1 but facing an error like below:

Failed to call UpdateProject, reason: Invalid service role: Service role account ID does not match caller's account (Service: AWSCodeBuild; Status Code: 400; Error Code: InvalidInputException; Request ID: 1edaf923-29a6-465c-ab06-1dbe06cffd13; Proxy: null)

Anyone have any clue about its resolution? thanks in advance.

Michael Forrester:
Afraz, Hi.
Something to try…

If memory serves, you have to have an account1 service account role that assumes the role that you created for account2. Typcially Codebuild will create a service role for you or you can specify one that you created with the proper policy attached.

So
Account 1 >>> ServiceAccount role with policy to assume the role that is in Account2

Account2 >>> Role with proper policy for the permissions that you want when the Account1 Service Account takes over.

So you probably want to try creating a service account role for Account 1 make sure you have sts:AssumeRole as the Action in the policy…so it can assume the Role in Account 2

This may help.
https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html
I would read Step 1: Steup account policies and roles.

Keep going… you got this.

Afraz Khan:
thanks @Michael Forrester this helps