AWS codebuild to list out s3 buckets of other account

Question

I have my codebuild build sitting on Account A and s3 buckets on Account B. I tried to set up a trusted IAM STS role on Account B and policy on Account A to include the Account B IAM role, attached this policy to my codebuild service role. But still, my codebuild shows buckets on s3. Am I doing or configuring something wrong here?

Role with trust relation on Account B

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::Account:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]

policy on Account A

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::Account B:role/testcli"
        }
    ]
}

CodeBuild BuildSpec.yml

version: 0.2

env:
  variables:
    TF_VERSION: "0.12.28"

phases:
  install:
    commands:
#       install required binary
      - echo test
  pre_build:
    commands:
      - echo print s3 buckets
      - aws s3 ls

  post_build:
    commands:
      - echo test1

Answer 1

Assuming your CodeBuild (CB) has permissions to sts:AssumeRole, in your buildspec.yml you have to explicitly assume the role in Acc B.

There are two ways in which you can do this.

• "Manually" call assume-role in your buildspec.yml. The call will return a set of temporary credentials. The credentials obtained can then be used to execute AWS CLI commands in Acc B from your CB.

• Setup AWS CLI credentials files as shown here or here in your CB container for assuming the roles.

In both cases the CB service-role needs sts:AssumeRole permissions.