Skip to content

change: move service-role path parsing for AmazonSageMaker-ExecutionRole for get_execution_role() into except block of IAM get_role() call and add warning message #2191

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Mar 8, 2021
Merged

change: move service-role path parsing for AmazonSageMaker-ExecutionRole for get_execution_role() into except block of IAM get_role() call and add warning message #2191

merged 3 commits into from
Mar 8, 2021

Conversation

ChoiByungWook
Copy link
Contributor

@ChoiByungWook ChoiByungWook commented Mar 6, 2021
edited
Loading

…ole for get_execution_role() into except block of IAM get_role() call and add warning message

Issue #, if available:
#2089

Description of changes:
Moved the conditional for parsing a Role Arn if the role name contains AmazonSageMaker-ExecutionRole into the except block of the try/except clause for calling IAM get_role().

This change should work for users who are still depending on this logic for getting a proper role ARN without IAM read permissions, while also allowing those with IAM read permissions to get the correct path in their role.

Also added a warning message.

Testing done:
I tested my change by creating separate UserProfiles with the corresponding roles defined below.

If my assumed role contained AmazonSageMaker-ExecutionRole and didn't have IAM permissions, it default to the role with the path service-role. It doesn't seem possible to get the role path through STS in the perspective of the Python SDK.

I installed my Python SDK dist file in each notebook:

  1. Role with service-role path and name contains AmazonSageMaker-ExecutionRole

UserProfile role: arn:aws:iam::AWS_ACCOUNT:role/service-role/AmazonSageMaker-ExecutionRole-20210110T050484

import sagemaker
sagemaker.get_execution_role()

arn:aws:iam::AWS_ACCOUNT:role/service-role/AmazonSageMaker-ExecutionRole-20181116T200565

  1. Role with no service-role path and contains AmazonSageMaker-ExecutionRole

UserProfile role: arn:aws:iam::AWS_ACCOUNT:role/AmazonSageMaker-ExecutionRole-NO_PATH

import sagemaker
sagemaker.get_execution_role()

arn:aws:iam::AWS_ACCOUNT:role/AmazonSageMaker-ExecutionRole-NO_PATH

  1. Role name does not contain AmazonSageMaker-ExecutionRole

UserProfile role: arn:aws:iam::AWS_ACCOUNT:role/SageMakerRole

import sagemaker
sagemaker.get_execution_role()

arn:aws:iam::AWS_ACCOUNT:role/SageMakerRole

Merge Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your pull request.

General

  • I have read the CONTRIBUTING doc
  • I used the commit message format described in CONTRIBUTING
  • I have passed the region in to all S3 and STS clients that I've initialized as part of this change.
  • I have updated any necessary documentation, including READMEs and API docs (if appropriate)

Tests

  • I have added tests that prove my fix is effective or that my feature works (if appropriate)
  • I have checked that my tests are not configured for a specific region or account (if appropriate)
  • I have used unique_name_from_base to create resource names in integ tests (if appropriate)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@ChoiByungWook
change: move service-role path parsing for AmazonSageMaker-ExecutionR…
dca9f79 
…ole for get_execution_role() into except block of IAM get_role() call and add warning message
@ChoiByungWook ChoiByungWook linked an issue Mar 6, 2021 that may be closed by this pull request
sagemaker.get_execution_role() returns incorrect ARN #2089
Closed
@ChoiByungWook ChoiByungWook mentioned this pull request Mar 6, 2021
Closed
@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-unit-tests
  • Commit ID: dca9f79
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-pr
  • Commit ID: dca9f79
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-slow-tests
  • Commit ID: dca9f79
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-notebook-tests
  • Commit ID: dca9f79
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-local-mode-tests
  • Commit ID: dca9f79
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-unit-tests
  • Commit ID: bdf984f
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-unit-tests
  • Commit ID: a6b72ab
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@ChoiByungWook ChoiByungWook marked this pull request as ready for review March 8, 2021 20:28
@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-slow-tests
  • Commit ID: a6b72ab
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-notebook-tests
  • Commit ID: a6b72ab
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-local-mode-tests
  • Commit ID: a6b72ab
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-pr
  • Commit ID: a6b72ab
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@sagemaker-bot
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: sagemaker-python-sdk-notebook-tests
  • Commit ID: a6b72ab
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@ChoiByungWook ChoiByungWook changed the title change: move service-role path parsing for AmazonSageMaker-ExecutionR… change: move default SageMaker role generation for get_execution_role() into except block Mar 8, 2021
@ChoiByungWook ChoiByungWook changed the title change: move default SageMaker role generation for get_execution_role() into except block change: move service-role path parsing for SageMaker for get_execution_role() into except block Mar 8, 2021
@ChoiByungWook ChoiByungWook changed the title change: move service-role path parsing for SageMaker for get_execution_role() into except block change: move service-role path parsing for AmazonSageMaker-ExecutionRole into except block Mar 8, 2021
@ChoiByungWook ChoiByungWook changed the title change: move service-role path parsing for AmazonSageMaker-ExecutionRole into except block change: move service-role path parsing for AmazonSageMaker-ExecutionRole for get_execution_role() into except block of IAM get_role() call and add warning message Mar 8, 2021
@ChoiByungWook ChoiByungWook merged commit 95e790e into aws:master Mar 8, 2021
@ChoiByungWook ChoiByungWook deleted the execution_role branch March 8, 2021 21:55
@ChoiByungWook ChoiByungWook mentioned this pull request Mar 9, 2021
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@icywang86rui icywang86rui icywang86rui approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

sagemaker.get_execution_role() returns incorrect ARN
3 participants
@ChoiByungWook @sagemaker-bot @icywang86rui