Installing CDK package from CodeArtifact during CodePipeline build stage

When you define a build project you can give it a ServiceRole - "The ARN of the IAM role that enables AWS CodeBuild to interact with dependent AWS services on behalf of the AWS account". Adding the right CodeArtifact permissions in that role should solve your problem.

I tried to pass the following Role to CodePipeline class.

role = iam.Role(
    self,
    "PipelineRole",
    role_name="PipelineRole",
    assumed_by=iam.ServicePrincipal("codepipeline.amazonaws.com"),
    inline_policies={
        "AccessCodeArtifact": iam.PolicyDocument(
            statements=[
                iam.PolicyStatement(
                    actions=[
                        "s3:Abort*",
                        "s3:DeleteObject*",
                        "s3:GetBucket*",
                        "s3:GetObject*",
                        "s3:List*",
                        "s3:PutObject",
                        "s3:PutObjectLegalHold",
                        "s3:PutObjectRetention",
                        "s3:PutObjectTagging",
                        "s3:PutObjectVersionTagging",
                        "sts:AssumeRole",
                    ],
                    resources=["*"],
                ),
                iam.PolicyStatement(
                    actions=[
                        "codeartifact:GetAuthorizationToken",
                        "codeartifact:GetRepositoryEndpoint",
                        "codeartifact:ReadFromRepository",
                    ],
                    resources=["*"],
                ),
                iam.PolicyStatement(
                    actions=["sts:GetServiceBearerToken"],
                    resources=["*"],
                ),
            ]
        )
    },
)

But it didn't change the CodeBuild Role, giving the same error. The ShellStep construct doesn't seem to have a way to pass a Role. Also I guess this will override the auto generated Role. Is there any code example for setting up CDK Pipeline with CodeArtifact? Below the auto generated Role that CodeBuild is using.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:123456789012:log-group:/aws/codebuild/PipelineBuildSynthCdkBuildP-FPjRaipET6w0:*",
                "arn:aws:logs:us-east-1:123456789012:log-group:/aws/codebuild/PipelineBuildSynthCdkBuildP-FPjRaipET6w0"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "codebuild:BatchPutCodeCoverages",
                "codebuild:BatchPutTestCases",
                "codebuild:CreateReport",
                "codebuild:CreateReportGroup",
                "codebuild:UpdateReport"
            ],
            "Resource": "arn:aws:codebuild:us-east-1:123456789012:report-group/PipelineBuildSynthCdkBuildP-FPjRaipET6w0-*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:Abort*",
                "s3:DeleteObject*",
                "s3:GetBucket*",
                "s3:GetObject*",
                "s3:List*",
                "s3:PutObject",
                "s3:PutObjectLegalHold",
                "s3:PutObjectRetention",
                "s3:PutObjectTagging",
                "s3:PutObjectVersionTagging"
            ],
            "Resource": [
                "arn:aws:s3:::myapppipelinestack-pipelineartifactsbucketaea9-1i6sj2jynjl5w",
                "arn:aws:s3:::myapppipelinestack-pipelineartifactsbucketaea9-1i6sj2jynjl5w/*"
            ],
            "Effect": "Allow"
        }
    ]
}

You would want to pass your Role to the CodeBuild Project, not CodePipeline - see "role" (service role) in https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_codebuild.Project.html.