Extra bit we didn't include in the post: The source roles are included under the `aws:PrincipalArn` condition to avoid losing access if we recreate the roles. Why don't add them as `Principal`?

Because if you add an ARN as `Principal`, it must exists and will generate a unique ID. You can find more information in the following AWS docs, either way if someone can recreate your roles without your authorization, you have a bigger issue. docs.aws.amazon.com/IAM/latest/U...