diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 24b61477d1..119d05ab80 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -3,8 +3,9 @@ CHANGELOG
 =========
 
 1.7.1dev
-========
+=====
 
+* bug-fix: get_execution_role no longer fails if user can't call get_role
 * bug-fix: Session: use existing model instead of failing during ``create_model()``
 
 1.7.0
diff --git a/src/sagemaker/session.py b/src/sagemaker/session.py
index 20b802188f..5d4df05d1e 100644
--- a/src/sagemaker/session.py
+++ b/src/sagemaker/session.py
@@ -760,7 +760,7 @@ def expand_role(self, role):
     def get_caller_identity_arn(self):
         """Returns the ARN user or role whose credentials are used to call the API.
         Returns:
-            (str): The ARN uer or role
+            (str): The ARN user or role
         """
         assumed_role = self.boto_session.client('sts').get_caller_identity()['Arn']
 
@@ -772,7 +772,11 @@ def get_caller_identity_arn(self):
 
         # Call IAM to get the role's path
         role_name = role[role.rfind('/') + 1:]
-        role = self.boto_session.client('iam').get_role(RoleName=role_name)['Role']['Arn']
+        try:
+            role = self.boto_session.client('iam').get_role(RoleName=role_name)['Role']['Arn']
+        except ClientError:
+            LOGGER.warning("Couldn't call 'get_role' to get Role ARN from role name {} to get Role path."
+                           .format(role_name))
 
         return role
 
diff --git a/tests/unit/test_session.py b/tests/unit/test_session.py
index 3f44bd93b5..29f9f9f3a3 100644
--- a/tests/unit/test_session.py
+++ b/tests/unit/test_session.py
@@ -70,6 +70,18 @@ def test_get_caller_identity_arn_from_an_user(boto_session):
     assert actual == 'arn:aws:iam::369233609183:user/mia'
 
 
+def test_get_caller_identity_arn_from_an_user_without_permissions(boto_session):
+    sess = Session(boto_session)
+    arn = 'arn:aws:iam::369233609183:user/mia'
+    sess.boto_session.client('sts').get_caller_identity.return_value = {'Arn': arn}
+    sess.boto_session.client('iam').get_role.side_effect = ClientError({}, {})
+
+    with patch('logging.Logger.warning') as mock_logger:
+        actual = sess.get_caller_identity_arn()
+        assert actual == 'arn:aws:iam::369233609183:user/mia'
+        mock_logger.assert_called_once()
+
+
 def test_get_caller_identity_arn_from_a_role(boto_session):
     sess = Session(boto_session)
     arn = 'arn:aws:sts::369233609183:assumed-role/SageMakerRole/6d009ef3-5306-49d5-8efc-78db644d8122'