Error with credentials location when using a role and profile for sagify cloud train

[gillouche]

Hello,

in the constructor of SageMakerClient class (sagemaker.py), I believe that the session should be created before the logic to assume the role. As it currently is, we try to assume a specific role with the default profile which might not contain credentials.

If a boto session is created beforehand and the sts client is created from this session

sts_client = self.boto_session.client('sts')

The client will use the defined profile and region and correctly locate the credentials in the config.

[ilazakis]

Hi @gillouche 👋 , thank you for reaching out.

Sounds like you are referring to a scenario whereby you want to use a role but also pass a specific profile along that has the access required to assume the role. Is my understanding correct?

We could adjust the logic to accommodate for that scenario from a quick look.

[gillouche]

I started using sagify today so maybe I am doing something wrong. The login mechanism used to my account is Single Sign On and we don't have the keys in the configuration.

I created a technical user with programmatic access and put the keys in a specific profile because I don't want anything in default profile since I am managing multiple accounts.

With the logic before, when I passed the role and not the profile, I got the error : botocore.exceptions.NoCredentialsError: Unable to locate credentials
since the STS client was trying to assume the role without credentials.

[kevinbuchanjr]

Hi @gillouche ,

The second answer here worked for me in this post: https://stackoverflow.com/questions/47710558/the-current-aws-identity-is-not-a-role-for-sagemaker/47767351#47767351). I added the role to my .aws/config file using the role arn after do an "Edit Trust Relationships" to add my user name to the SageMaker service so that my user could assume this role.