No need to add the stack directly under the app. Add it inside the pipeline's scope

Done.

Scratch that. This does not work for some reason. The unit test in the codepipeline-actions package that tests the new behavior for the CFN actions fail when anchoring the new stack under the pipeline:

Error: Can only reference cross stacks in the same region and account. target = PipelineStack/Pipeline/cross-account-support-stack-123456789012/PipelineStackPipeline9DB740AF-Deploy-CFN-DeploymentRole/Resource

It seems to me like the cross-account behavior is not triggered at all when I add the new stack under the pipeline's scope (this is an error message from CfnReference).

Any ideas why might that be...? Could it be because Stack.of(...) does not work correctly if stacks are nested under constructs...?

I think you are right. I think there is a bug in how substacks consume references. I will run some more tests tomorrow morning and hope to have some better understanding of this.

This actually makes sense. The pipeline stack references the role in the other account and the automatic cross-stack references are triggered, but those only work for same-environment since they use exports/imports.

Digging further...

Okay, haven't managed to figure out what the issue is. I still think there is a bug somewhere, but you'll have to dig further from your end. I've added a bunch of tests to verify some assumptions: #3373

Ok. I've updated the PR to fix the out of order imports. Let's see if the build passes this time.

The terminology "owner" here is extremely confusing (especially since we use it to indicate "owned resources"). How about something like "The action X does not support specifying a role".

Just to be clear: I'm talking here about this property.

Given that, does the error message makes sense? (I'm not worried about the isAwsOwned() method, it's private anyway)

EDIT: maybe this is a better explanation of the owner property