One gotcha which held me up for while and may be helpful to others is that if you are running into this problem on the synth step of a CopePipeline, then, after you add the appropriate sts:AssumeRole policy to your code, you need to run cdk deploy from the CLI, rather than rely on the self-mutate step to apply your changes after a git push. (It seems obvious in retrospect, but the )