sagemaker.get_execution_role() returns incorrect ARN

[hughack]

Describe the bug
I manually created an execution role for SageMaker Studio called AmazonSageMaker-ExecutionRole-ap-southeast-2

Calling sagemaker.get_execution_role() within a SageMaker Studio Notebook returns the incorrect role ARN:

arn:aws:iam::************:role/service-role/AmazonSageMaker-ExecutionRole-ap-southeast-2

Actual ARN:

arn:aws:iam::************:role/AmazonSageMaker-ExecutionRole-ap-southeast-2

To reproduce
Create role in CloudFormation:

  SageMakerExecutionRole:
      Type: "AWS::IAM::Role"
      Properties:
        RoleName: !Sub AmazonSageMaker-ExecutionRole-${AWS::Region}
        AssumeRolePolicyDocument:
          Version: 2012-10-17
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - sagemaker.amazonaws.com
                  - ecs-tasks.amazonaws.com
              Action:
                - "sts:AssumeRole"
        Path: /
        ManagedPolicyArns:
          - arn:aws:iam::aws:policy/AmazonSageMakerFullAccess
          - !Ref SageMakerExecutionPolicy

Setup SageMaker Studio with this role as execution role.

Open a notebook and run:

from sagemaker import get_execution_role
print(get_execution_role())

Expected behavior
Output role ARN:

arn:aws:iam::************:role/AmazonSageMaker-ExecutionRole-ap-southeast-2

Actual output:

arn:aws:iam::************:role/service-role/AmazonSageMaker-ExecutionRole-ap-southeast-2

Note addition of service-role/.

Additional context
Looks like this line is the culprit:

sagemaker-python-sdk/src/sagemaker/session.py

Line 3501 in 1fdefe0

if "AmazonSageMaker-ExecutionRole" in assumed_role:

[hughack]

Do the auto-generated roles always have the same format? AmazonSageMaker-ExecutionRole-YYYYMMDDTHHMMSS

Could replace the if with:

if re.match(r'/.*AmazonSageMaker-ExecutionRole-\d{8}T\d{6}.*/',assumed_role):
    ...

But if any other pattern has been used in the past then this could cause issues for anyone using the alternative role name.

I'm guessing i should just change the role name for my account?

[cfregly]

I have similar issues when using get_execution_role() within a SageMaker Processing Job, for example. I just ended up doing the hack that you suggested above @hughack by converting assumed-role => role or role/service-role specific to each variant that I’m struggling with. My code is up to 3-4 if statements. Hoping there is a cleaner way.

Sagemaker Engineering: any suggestions?

[ChoiByungWook]

Hey @hughack,

Apologies on the late response.

Thank you for bringing this issue to our attention.

I'm not entirely sure why we have a conditional to essentially hardcode the path "service-role" if the role name contains "AmazonSageMaker-ExecutionRole".

This code seems to have been part of the Python SDK since its inception, so I am bit worried of removing this logic, as many of the original writers... don't work on SageMaker anymore :(, but clearly it is causing issues.

Based on the code that comes after that specific conditional, it looks like it was looking to avoid making calls to IAM, since I am guessing due to missing permissions?

I believe at the time the code was introduced and even at the time of writing this response, it looks like the default SageMaker IAM policy doesn't account for IAM read permissions.

I don't think it is actually possible to get the proper IAM Role ARN without having IAM permissions, at least from the Python SDK perspective.

I think the best course of action is to move line of code into the except block of the try/except clause, as a safe compromise, to maintain supporting users of this conditional.