In my setup I have 2 accounts: Account A runs CodeCommit + CodePipeline Account B has an ECS cluster Most of the steps I did are described in the Create a Pipeline in CodePipeline That Uses Resources guide from AWS. However, my setup is to deploy to ECS using CodePipeline without using CodeDeploy. So I had to create a CrossAccount role with the following policies. Policy to access KMS key in account A Policy to allow access to S3 bucket in account A: Policy to allow access to ECS in account B Policy to pass the role to ECS: Without these policies I was getting a lot of different errors in CodePipeline like “The provided role does not have sufficient[…]