Get rid of AWS auto-generated roles in CDK CodePipeline

[garysassano]

I'd like to avoid role proliferation, so I'm trying to reduce the number of roles in my IAM to as few as possible by also getting rid of all AWS auto-generated roles.

I found out that by passing a custom role to CodePipeline and CodeBuildStep constructs I could avoid the creation of AWS auto-generated roles. So I created these two custom roles:

const codePipelineCustomRole = new iam.Role(this, 'codePipelineCustomRoleConstructID', {
    roleName: 'CodePipelineCustomRole',
    description: 'Custom role to execute CodePipeline',
    assumedBy: new iam.ServicePrincipal('codepipeline.amazonaws.com'),
    managedPolicies: [
        iam.ManagedPolicy.fromAwsManagedPolicyName('AWSCodePipeline_FullAccess'),
    ],
});

const codeBuildCustomRole = new iam.Role(this, 'codeBuildCustomRoleConstructID', {
    roleName: 'CodeBuildCustomRole',
    description: 'Custom role to execute CodeBuild',
    assumedBy: new iam.ServicePrincipal('codebuild.amazonaws.com'),
    managedPolicies: [
        iam.ManagedPolicy.fromAwsManagedPolicyName('AWSCodeBuildAdminAccess'),
    ],
});

The problem is that I was only able to reduce the number of AWS auto-generated roles from 22 down to 8. So now I have 10 roles (8 auto-generated + 2 custom ones) instead of 22, which still doesn't meet my goal.

I tryed to ask ChatGPT about the 4 roles that get automatically created for each CodePipeline:

The roles you're seeing in the table are all created by AWS CloudFormation as part of the CodePipeline stack. These roles are automatically created to allow the pipeline to:

-<XXXXX>CodeBuildServiceRole: This is the service role that allows CodeBuild to interact with the pipeline and perform its actions.
-<XXXXX>EventRole: This is the event role that allows CodePipeline to start and stop builds and deployments.
-<XXXXX>SourceRole: This is the role that allows CodePipeline to access the source code repository.
-<XXXXX>UpdateStackRole: This is the role that allows CodePipeline to update the CloudFormation stack.

Even though you are passing custom roles to the CodePipeline and CodeBuildStep, these roles are still needed for the pipeline to interact with other services and perform certain actions.

So, I guess that what I'm trying to achieve is actually not possible?