From dee233b9b716598930d2c5f6d74c69247202365e Mon Sep 17 00:00:00 2001 From: Andre Moeller Date: Wed, 18 Jul 2018 18:25:30 -0700 Subject: [PATCH 1/4] try to get_role, but fall back to role from regex --- src/sagemaker/session.py | 5 ++++- tests/unit/test_session.py | 10 ++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/src/sagemaker/session.py b/src/sagemaker/session.py index d08c4fc307..050a83a12f 100644 --- a/src/sagemaker/session.py +++ b/src/sagemaker/session.py @@ -763,7 +763,10 @@ def get_caller_identity_arn(self): # Call IAM to get the role's path role_name = role[role.rfind('/') + 1:] - role = self.boto_session.client('iam').get_role(RoleName=role_name)['Role']['Arn'] + try: + role = self.boto_session.client('iam').get_role(RoleName=role_name)['Role']['Arn'] + except ClientError: + LOGGER.warning("Couldn't call 'get_role' to get Role ARN from role name {}.".format(role_name)) return role diff --git a/tests/unit/test_session.py b/tests/unit/test_session.py index 00a6fd82be..a4b3d64d57 100644 --- a/tests/unit/test_session.py +++ b/tests/unit/test_session.py @@ -69,6 +69,16 @@ def test_get_caller_identity_arn_from_an_user(boto_session): assert actual == 'arn:aws:iam::369233609183:user/mia' +def test_get_caller_identity_arn_from_an_user_without_permissions(boto_session): + sess = Session(boto_session) + arn = 'arn:aws:iam::369233609183:user/mia' + sess.boto_session.client('sts').get_caller_identity.return_value = {'Arn': arn} + sess.boto_session.client('iam').get_role.side_effect = ClientError('Bad permissions!', {}) + + actual = sess.get_caller_identity_arn() + assert actual == 'arn:aws:iam::369233609183:user/mia' + + def test_get_caller_identity_arn_from_a_role(boto_session): sess = Session(boto_session) arn = 'arn:aws:sts::369233609183:assumed-role/SageMakerRole/6d009ef3-5306-49d5-8efc-78db644d8122' From 938d4e1f4c89dd760e61f364be27ec7e6731815d Mon Sep 17 00:00:00 2001 From: Andre Moeller Date: Wed, 18 Jul 2018 18:27:18 -0700 Subject: [PATCH 2/4] add changelog --- CHANGELOG.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 625381a942..aa382f389c 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -2,6 +2,11 @@ CHANGELOG ========= +1.7.1dev +===== + +* bug-fix: get_execution_role no longer fails if user can't call get_role + 1.7.0 ===== From 7cd5c6ff1b9f6b1f3c265fc7280e82d48f138a76 Mon Sep 17 00:00:00 2001 From: Andre Moeller Date: Thu, 19 Jul 2018 14:42:11 -0700 Subject: [PATCH 3/4] pr updates --- src/sagemaker/session.py | 5 +++-- tests/unit/test_session.py | 5 ++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/src/sagemaker/session.py b/src/sagemaker/session.py index 050a83a12f..032e7b8067 100644 --- a/src/sagemaker/session.py +++ b/src/sagemaker/session.py @@ -751,7 +751,7 @@ def expand_role(self, role): def get_caller_identity_arn(self): """Returns the ARN user or role whose credentials are used to call the API. Returns: - (str): The ARN uer or role + (str): The ARN user or role """ assumed_role = self.boto_session.client('sts').get_caller_identity()['Arn'] @@ -766,7 +766,8 @@ def get_caller_identity_arn(self): try: role = self.boto_session.client('iam').get_role(RoleName=role_name)['Role']['Arn'] except ClientError: - LOGGER.warning("Couldn't call 'get_role' to get Role ARN from role name {}.".format(role_name)) + LOGGER.warning("Couldn't call 'get_role' to get Role ARN from role name {} to get Role path." + .format(role_name)) return role diff --git a/tests/unit/test_session.py b/tests/unit/test_session.py index a4b3d64d57..e8d9bbb478 100644 --- a/tests/unit/test_session.py +++ b/tests/unit/test_session.py @@ -69,14 +69,17 @@ def test_get_caller_identity_arn_from_an_user(boto_session): assert actual == 'arn:aws:iam::369233609183:user/mia' -def test_get_caller_identity_arn_from_an_user_without_permissions(boto_session): +@patch('logging.Logger.warning') +def test_get_caller_identity_arn_from_an_user_without_permissions(boto_session, mock_logger): sess = Session(boto_session) arn = 'arn:aws:iam::369233609183:user/mia' sess.boto_session.client('sts').get_caller_identity.return_value = {'Arn': arn} sess.boto_session.client('iam').get_role.side_effect = ClientError('Bad permissions!', {}) + actual = sess.get_caller_identity_arn() assert actual == 'arn:aws:iam::369233609183:user/mia' + mock_logger.assert_called_once() def test_get_caller_identity_arn_from_a_role(boto_session): From 3b4112be064614f41a9b8fb3292d84f102b3cf58 Mon Sep 17 00:00:00 2001 From: Andre Moeller Date: Thu, 19 Jul 2018 15:04:57 -0700 Subject: [PATCH 4/4] fix unit test --- tests/unit/test_session.py | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/tests/unit/test_session.py b/tests/unit/test_session.py index e8d9bbb478..5851b14ab5 100644 --- a/tests/unit/test_session.py +++ b/tests/unit/test_session.py @@ -69,17 +69,16 @@ def test_get_caller_identity_arn_from_an_user(boto_session): assert actual == 'arn:aws:iam::369233609183:user/mia' -@patch('logging.Logger.warning') -def test_get_caller_identity_arn_from_an_user_without_permissions(boto_session, mock_logger): +def test_get_caller_identity_arn_from_an_user_without_permissions(boto_session): sess = Session(boto_session) arn = 'arn:aws:iam::369233609183:user/mia' sess.boto_session.client('sts').get_caller_identity.return_value = {'Arn': arn} - sess.boto_session.client('iam').get_role.side_effect = ClientError('Bad permissions!', {}) + sess.boto_session.client('iam').get_role.side_effect = ClientError({}, {}) - - actual = sess.get_caller_identity_arn() - assert actual == 'arn:aws:iam::369233609183:user/mia' - mock_logger.assert_called_once() + with patch('logging.Logger.warning') as mock_logger: + actual = sess.get_caller_identity_arn() + assert actual == 'arn:aws:iam::369233609183:user/mia' + mock_logger.assert_called_once() def test_get_caller_identity_arn_from_a_role(boto_session):