diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 24b61477d1..119d05ab80 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -3,8 +3,9 @@ CHANGELOG ========= 1.7.1dev -======== +===== +* bug-fix: get_execution_role no longer fails if user can't call get_role * bug-fix: Session: use existing model instead of failing during ``create_model()`` 1.7.0 diff --git a/src/sagemaker/session.py b/src/sagemaker/session.py index 20b802188f..5d4df05d1e 100644 --- a/src/sagemaker/session.py +++ b/src/sagemaker/session.py @@ -760,7 +760,7 @@ def expand_role(self, role): def get_caller_identity_arn(self): """Returns the ARN user or role whose credentials are used to call the API. Returns: - (str): The ARN uer or role + (str): The ARN user or role """ assumed_role = self.boto_session.client('sts').get_caller_identity()['Arn'] @@ -772,7 +772,11 @@ def get_caller_identity_arn(self): # Call IAM to get the role's path role_name = role[role.rfind('/') + 1:] - role = self.boto_session.client('iam').get_role(RoleName=role_name)['Role']['Arn'] + try: + role = self.boto_session.client('iam').get_role(RoleName=role_name)['Role']['Arn'] + except ClientError: + LOGGER.warning("Couldn't call 'get_role' to get Role ARN from role name {} to get Role path." + .format(role_name)) return role diff --git a/tests/unit/test_session.py b/tests/unit/test_session.py index 3f44bd93b5..29f9f9f3a3 100644 --- a/tests/unit/test_session.py +++ b/tests/unit/test_session.py @@ -70,6 +70,18 @@ def test_get_caller_identity_arn_from_an_user(boto_session): assert actual == 'arn:aws:iam::369233609183:user/mia' +def test_get_caller_identity_arn_from_an_user_without_permissions(boto_session): + sess = Session(boto_session) + arn = 'arn:aws:iam::369233609183:user/mia' + sess.boto_session.client('sts').get_caller_identity.return_value = {'Arn': arn} + sess.boto_session.client('iam').get_role.side_effect = ClientError({}, {}) + + with patch('logging.Logger.warning') as mock_logger: + actual = sess.get_caller_identity_arn() + assert actual == 'arn:aws:iam::369233609183:user/mia' + mock_logger.assert_called_once() + + def test_get_caller_identity_arn_from_a_role(boto_session): sess = Session(boto_session) arn = 'arn:aws:sts::369233609183:assumed-role/SageMakerRole/6d009ef3-5306-49d5-8efc-78db644d8122'