Sagemaker jumpstart session breaks sagemaker SDK import when partial AWS credentials are present

[elemakil]

Describe the bug
In 1f3754d (merged as part of #4051), a "default sagemaker jumpstart session" aws introduced (direct link). This session object is constructed unconditionally upon import of the src/sagemaker/jumpstart/constants.py file. This file is imported through a long-ish import chain when importing the sagemaker SDK.

If the executing environment contains partial AWS credentials (i.e. either AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY is set but not both), the import fails because construction of the boto3 session within the constructor of the sagemaker jumpstart session fails. You can find a full traceback below.

This is a regression introduced by the inclusion of the default sagemaker jumpstart session. We've previously been using sagemaker SDK version 2.173.0 which did not have this issue.

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/Users/<REDACTED>/sagemaker-sdk-bug/.env/lib/python3.10/site-packages/sagemaker/__init__.py", line 18, in <module>
    from sagemaker import estimator, parameter, tuner  # noqa: F401
  File "/Users/<REDACTED>/sagemaker-sdk-bug/.env/lib/python3.10/site-packages/sagemaker/estimator.py", line 30, in <module>
    from sagemaker import git_utils, image_uris, vpc_utils, s3
  File "/Users/<REDACTED>/sagemaker-sdk-bug/.env/lib/python3.10/site-packages/sagemaker/image_uris.py", line 24, in <module>
    from sagemaker.jumpstart.constants import DEFAULT_JUMPSTART_SAGEMAKER_SESSION
  File "/Users/<REDACTED>/sagemaker-sdk-bug/.env/lib/python3.10/site-packages/sagemaker/jumpstart/constants.py", line 182, in <module>
    DEFAULT_JUMPSTART_SAGEMAKER_SESSION = Session(
  File "/Users/<REDACTED>/sagemaker-sdk-bug/.env/lib/python3.10/site-packages/sagemaker/session.py", line 244, in __init__
    self._initialize(
  File "/Users/<REDACTED>/sagemaker-sdk-bug/.env/lib/python3.10/site-packages/sagemaker/session.py", line 275, in _initialize
    self.sagemaker_client = sagemaker_client or self.boto_session.client("sagemaker")
  File "/Users/<REDACTED>/sagemaker-sdk-bug/.env/lib/python3.10/site-packages/boto3/session.py", line 299, in client
    return self._session.create_client(
  File "/Users/<REDACTED>/sagemaker-sdk-bug/.env/lib/python3.10/site-packages/botocore/session.py", line 957, in create_client
    credentials = self.get_credentials()
  File "/Users/<REDACTED>/sagemaker-sdk-bug/.env/lib/python3.10/site-packages/botocore/session.py", line 515, in get_credentials
    ).load_credentials()
  File "/Users/<REDACTED>/sagemaker-sdk-bug/.env/lib/python3.10/site-packages/botocore/credentials.py", line 2038, in load_credentials
    creds = provider.load()
  File "/Users/<REDACTED>/sagemaker-sdk-bug/.env/lib/python3.10/site-packages/botocore/credentials.py", line 1125, in load
    credentials = fetcher(require_expiry=False)
  File "/Users/<REDACTED>/sagemaker-sdk-bug/.env/lib/python3.10/site-packages/botocore/credentials.py", line 1165, in fetch_credentials
    raise PartialCredentialsError(
botocore.exceptions.PartialCredentialsError: Partial credentials found in env, missing: AWS_SECRET_ACCESS_KEY

To reproduce

1. Install recent python version (I've used python 3.10)
2. Create virtualenv: python -m venv .env
3. Load virtualenv: source .env/bin/activate
4. Install sagemaker sdk: pip install sagemaker==2.183.0
5. Import sagemaker while having partial AWS credentials: AWS_ACCESS_KEY_ID=abcd python -c 'import sagemaker'

Expected behavior
Importing sagemaker should not fail if the environment contains partial AWS credentials. AWS credentials are only needed when performing actual operations against AWS which should not happen at import time.

I am aware that this issue is caused by a somewhat broken external execution environment, however, I believe that this should not result in failure during import. We have encountered the issue in our CI/CD system where sagemaker SDK is imported during building of source code documentation and execution of unit tests. Neither of these steps involve operations against an actual AWS account which would require a working boto3 session. Unfortunately we have limited control over the CI/CD system which contains the partial AWS credential environment variables.

Screenshots or logs
n/a

System information
A description of your system. Please provide:

• SageMaker Python SDK version: 2.183.0 though it likely affects other versions
• Framework name (eg. PyTorch) or algorithm (eg. KMeans): irrelevant
• Framework version: irrelevant
• Python version: 3.10 though this probably does not matter
• CPU or GPU: irrelevant
• Custom Docker image (Y/N): irrelevant

Additional context
Add any other context about the problem here.

[evakravi]

A PR has been raised with a fix. I was not able to reproduce your error when I put partial credentials in my AWS credentials file. Can you try to see if my PR solves the problem, to verify the fix?

You can do pip install git+https://github.com/evakravi/sagemaker-python-sdk@fix/handle-bad-js-default-session

[elemakil]

Hi @evakravi,

I can confirm that your PR resolves the issue. An error message is printed but the import succeeds.

~/sagemaker-sdk-bug ❯ AWS_ACCESS_KEY_ID=abcd python -c 'import sagemaker'                                                                                                                                                                                                               
Unable to create default JumpStart SageMaker Session due to the following error: Partial credentials found in env, missing: AWS_SECRET_ACCESS_KEY.
~/sagemaker-sdk-bug ❯ echo $?                                                                                                                                                                                                                                                            
0

[evakravi]

Great, thank you for confirming. I will move forward with the PR merge process