fix(iam): cannot import service role with a principal in its path

packages/@aws-cdk/aws-iam/lib/role.ts

@@ -177,10 +177,9 @@ export class Role extends Resource implements IRole {
     const parsedArn = scopeStack.parseArn(roleArn);
     const resourceName = parsedArn.resourceName!;
     // service roles have an ARN like 'arn:aws:iam::<account>:role/service-role/<roleName>'
-    // we want to support these as well, so strip out the 'service-role/' prefix if we see it
-    const roleName = resourceName.startsWith('service-role/')
-      ? resourceName.slice('service-role/'.length)
-      : resourceName;
+    // or 'arn:aws:iam::<account>:role/service-role/servicename.amazonaws.com/service-role/<roleName>'
+    // we want to support these as well, so we just use the element after the last slash as role name
+    const roleName = resourceName.split('/').pop()!;
 
     class Import extends Resource implements IRole {
       public readonly grantPrincipal: IPrincipal = this;

packages/@aws-cdk/aws-iam/test/role.from-role-arn.test.ts

@@ -480,20 +480,45 @@ describe('IAM Role.fromRoleArn', () => {
   describe('imported with the ARN of a service role', () => {
     beforeEach(() => {
       roleStack = new Stack();
-      importedRole = Role.fromRoleArn(roleStack, 'Role',
-        `arn:aws:iam::${roleAccount}:role/service-role/codebuild-role`);
     });
 
-    it("correctly strips the 'service-role' prefix from the role name", () => {
-      new Policy(roleStack, 'Policy', {
-        statements: [somePolicyStatement()],
-        roles: [importedRole],
+    describe('without a service principal in the role name', () => {
+      beforeEach(() => {
+        importedRole = Role.fromRoleArn(roleStack, 'Role',
+          `arn:aws:iam::${roleAccount}:role/service-role/codebuild-role`);
+      });
+
+      it("correctly strips the 'service-role' prefix from the role name", () => {
+        new Policy(roleStack, 'Policy', {
+          statements: [somePolicyStatement()],
+          roles: [importedRole],
+        });
+
+        expect(roleStack).toHaveResourceLike('AWS::IAM::Policy', {
+          'Roles': [
+            'codebuild-role',
+          ],
+        });
       });
+    });
 
-      expect(roleStack).toHaveResourceLike('AWS::IAM::Policy', {
-        'Roles': [
-          'codebuild-role',
-        ],
+    describe('with a service principal in the role name', () => {
+      beforeEach(() => {
+        importedRole = Role.fromRoleArn(roleStack, 'Role',
+          `arn:aws:iam::${roleAccount}:role/aws-service-role/anyservice.amazonaws.com/codebuild-role`);
+      });
+
+      it("correctly strips both the 'aws-service-role' prefix and the service principal from the role name", () => {
+        new Policy(roleStack, 'Policy', {
+          statements: [somePolicyStatement()],
+          roles: [importedRole],
+        });
+
+        expect(roleStack).toHaveResourceLike('AWS::IAM::Policy', {
+          'Roles': [
+            'codebuild-role',
+          ],
+        });
       });
     });
   });