(codepipeline): AccessDeniedException when calling the PutJobSuccessResult

This is likely to be a guidance question, but I’m not sure I’m not hitting some CodePipeline limitation. I have a scenario like this:

1. I have a devops central IAM account that I have the pipelines
2. in that pipeline I am invoking a lambda, that uses a PipelineRole on a cross-IAM another target IAM account
3. that Lambda executes some operations (e.g. CloudFront)

Those three things work fine, but… the Lambda must return a result to the initial IAM account to the CodePipeline and that is what doesn’t work for me. I tried assigning even full permissions for codepipeline:* for * resources on both sides, but I am still getting the error:

[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the PutJobSuccessResult operation: User: arn:aws:sts::1234:assumed-role/PipelineRole/1624294113598 is not authorized to perform: codepipeline:PutJobSuccessResult

In the Python Lambda, I am executing the CloudFront operations with the assumed role passed from the CodePipeline role: parameter in a standard way:

cloudfront_client = boto3.client('cloudfront')

Then, for returning the result, I use Session token like this:

    key_id = job_data['artifactCredentials']['accessKeyId']
    key_secret = job_data['artifactCredentials']['secretAccessKey']
    session_token = job_data['artifactCredentials']['sessionToken']

    session = Session(aws_access_key_id=key_id,
                      aws_secret_access_key=key_secret,
                      aws_session_token=session_token)
    return session.client('codepipeline', config=botocore.client.Config(signature_version='s3v4'))

Am I missing something or maybe the artifactCredentials do not allow it? If that’s the case, how can I pass the result of Lambda from the target account to the original account? Thanks a lot in advance for support, I already spent 2 days trying to figure this out and I’m banging the wall it seems…