AWS Support + CrossAccount CodeCommit Https Git Credentials in CodeBuild Project

gistfile1.txt

I am attempting to install packages for NodeJS that reference a CodeCommit repository that resides in different AWS Account from a different AWS Organization.

I am receive the error "unable to access"
===========================
npm ERR! Error while executing:
npm ERR! /usr/bin/git ls-remote -h -t https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my_package 
npm ERR! 
npm ERR! fatal: unable to access 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my_package/ ': The requested URL returned error: 403
===========================

I have access to both root accounts and have technical business support for both.

[Account A]==================
AccountName: MyApplication 
AccountId:   123456789012

In this account I have a CodeBuild project that is provisioned by a CloudFormation template:
my_application/83e528f0-78a8-11eb-a553-126bf0867249

I have a CodeBuild IAM Role
arn:aws:iam::123456789012:role/CodeBuildRole-1DS22LL51E1O3

This role has an inline policy to allow the CodeBuild project to assume a cross-account role which in turn grants access to the CodeCommit repo in the other account

[Inline Policy]--------------------------
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "arn:aws:iam::101010110101:role/CrossAccountRole-D5JOGALPCNCR",
            "Effect": "Allow"
        }
    ]
}
--------------------------

Within my buildspec I have applied this option that should automatically allow a CodeBuild project with permissions to pull a CodeCommit repo with an https reference.

[buildspec.yaml]-------------------
env:
  git-credential-helper: yes
```
--------------------------------------

This is the dependency in question I am referencing in my package.json

[package.json]-------------------
    "my_package": "git+https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my_package#semver:1.3.3",
```
------------------------------------

I am able to pull this repo on my local development machine with HTTPS Git Credentials without issue.

[Account B]==================
AccountName: MyPackage 
AccountId:   101010110101

This is the account where the other CodeCommit repository (my_package) resides

This is its clone url:
https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my_package 

I have created a Cross Account Role via this CloudFormation template:
arn:aws:cloudformation:us-east-1:101010110101:stack/mypackage/3a422c70-78ae-11eb-90ee-12136ee127ab

To debug it I told it to just have access to everything in CodeCommit
-------------------------------
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "codecommit:*"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "codecommit:GetBranch",
                "codecommit:GetCommit",
                "codecommit:UploadArchive",
                "codecommit:GetUploadArchiveStatus",
                "codecommit:CancelUploadArchive",
                "codecommit:GetRepository",
                "codecommit:GitPull",
                "codecommit:GetFolder"
            ],
            "Resource": [
                "arn:aws:codecommit:us-east-1:101010110101:my_package"
            ],
            "Effect": "Allow"
        }
    ]
}
---------------------------

I edited the Trust Relationship to include the Role from Account A so it has permission to assume the role:

--------------------------
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/CodeBuildRole-1DS22LL51E1O3"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
-------------------------------------