Unable to update Service Role in CodeBuild with error "The policy was not attached to role"

Question

When I create a brand new CodeBuild project, it allows me to select an IAM Service Role, and when I check the box "Allow AWS CodeBuild to modify this service role so it can be used with this build project", AWS modifies that Service Role with a custom policy that's specific to this role.

But If after creating that CodeBuild project I want to attach a different service role to it, I keep getting the below message saying "The policy was not attached ot role [x]"

I'm pretty sure I'm missing a permission somewhere, but I'm not sure where.

Edit with more troubleshooting data:

• If I uncheck the box "Allow aws [...]" It allows me to update the CodeBuild project configuration, but all subsequent builds fail at startup. This is expected.

• If I try to re-add the original service role I added to this project when I created it, it lets me add it without any problems.

Answer 1

I had the similar issue when I tried creating a more generic role that can be used by all of my CodeBuild projects. The way I got around it is I unchecked the "Allow AWS CodeBuild to modify this service role so it can be used with this build project" checkbox

I had to ensure that the role I'm attaching had all the necessary IAM permissions for my subsequent builds to keep running

Answer 2

I had the same issue and noticed that the previous role that was assigned to the CodeBuild project also had a Managed policy attached that had been added when the project was originally created. This role was named similar to this:

CodeBuildBasePolicy-project-name-us-west-2

I attached this policy to the new Role and detached it from the old role.

After this I was able to select "Update environment" and did not receive the error message.

Answer 3

After a long time spent on this issue, I discovered the problem!

I modified my CodeBuildServiceRole-projectName base policy instead of creating a new policy and attaching it to the CodeBuildServiceRole-projectName role. You should never edit the inline policy that was created by CodePipeline! Only create and add new policies to a role.

As AWS obscurely states in their documentation:

Modifying a policy statement or attaching another policy to the role can prevent your pipelines from functioning. Be sure that you understand the implications before you modify the service role for CodePipeline in any way. Make sure you test your pipelines after you make any change to the service role.

Answer 4

If you delete a CodeBuild project, the policies that CodeBuild created remain attached to the existing role. When you create a new project with the same name as the deleted one - this error will occur.

My solution was to delete all of the roles and policies that were referenced in the pipeline and rebuild those roles and policies. Then rebuild the pipeline.