I’ve trying to deploy the SAM application into the production account ( target account) and after a few hours of debugging I managed to complete the entire pipeline but unfortunately I found out that the Deploy phase was using the source account role, which ended up in deploying the application in the source account which not the expected result.

So I had to update the role assignments as described below:

• ‘Source’: Source account role ( the repository is stored in the source account)
• ‘Build’: Target account role ( it has to build the project in the source account bucket)
• ‘Deploy’: Target account role.

In order to accomplish the Buld step I had to create a KSM key and allow the target account role to decrypt it, I’ve tested the access to this key from the console and it looks good, but when the CodeBuild project runs, it still appears the error

'AccessDenied: User: arn:aws:sts::992382677484:assumed-role/AWSCloudFormationStackSetExecutionRole/AWSCodeBuild-f35b6fb5-2433-4b44-8256-ae190f3d9339 is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access
    status'

My assumption is that the Build phase runs with the role arn:aws:sts::992382677484:assumed-role/AWSCloudFormationStackSetExecutionRole/AWSCodeBuild-f35b6fb5-2433-4b44-8256-ae190f3d9339 and not with the target account role arn:aws:iam::992382677484:role/AWSCloudFormationStackSetExecutionRole which is the one mentioned as ‘Service Role’.

I know that the assumeRole is needed and the project assumes the assigned role, but I guess this is causing the Build to fail because it’s not matching the allowed role arn in the source account?

Am I following a wrong direction here?