CodeBuild is not authorized to perform: sts:AssumeRole on arn:aws:iam/ ...... InvalidInputException; why?

Question

I have a cloudformation stack which exports this role with some policies attached:

      CodeBuildRole:
        Type: AWS::IAM::Role
        Properties:
          RoleName: codebuild-role
          AssumeRolePolicyDocument:
            Statement:
              - Action: ['sts:AssumeRole']
                Effect: Allow
                Principal:
                  Service:
                    - codebuild.amazonaws.com
                    - codepipeline.amazonaws.com
            Version: '2012-10-17'
          Path: /
          Policies:
            - etc....

The exported role name is cb-remove-role-id which I am then trying to import in another stack to be used by another codebuild project in a code pipeline

      BuildProjectUK:
        Type: AWS::CodeBuild::Project
        Properties:
          Name: !Sub ${ResourceContext}-build-uk
          Description: UK build and deploy
          ServiceRole: !ImportValue cb-remove-role-id
          BadgeEnabled: false
          Artifacts:
            Type: CODEPIPELINE
          Environment:
            etc...

When trying to update the latter stack's template, I get this error:

Failed to call UpdateProject, reason: CodeBuild is not authorized to perform: sts:AssumeRole on arn:aws:iam::xxxxxxxxx:role/xxxxxxxxx (Service: AWSCodeBuild; Status Code: 400; Error Code: InvalidInputException; Request ID: xxxxxxxxxxxxxxxx; Proxy: null)

Any ideas why this may be or how I can resolve this?

Thanks

Answer 1

Exporting the role using the Arn instead of RoleId resolved the issue Thanks @Marcin

Failing output:

  CodeBuildRemoveRoleId:
    Description: ID of role used by remove codebuild project
    Value: !GetAtt CodeBuildRole.RoleId
    Export:
      Name: cb-remove-role-id

Passing output:

  CodeBuildRemoveRoleId:
    Description: ID of role used by remove codebuild project
    Value: !GetAtt CodeBuildRole.Arn
    Export:
      Name: cb-remove-role-id