Merge branch 'master' into revert_airflow_retry

yangaws · web-flow · commit ad09f42e976a · 2018-12-20T13:32:01.000-08:00
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -6,6 +6,7 @@ CHANGELOG
 ======
 
 * bug-fix: Revert appending Airflow retry id to default job name
+* bug-fix: Session: don't allow get_execution_role() to return an ARN that's not a role but has "role" in the name
 
 1.16.3
 ======
diff --git a/src/sagemaker/session.py b/src/sagemaker/session.py
@@ -1212,7 +1212,7 @@ def get_execution_role(sagemaker_session=None):
         sagemaker_session = Session()
     arn = sagemaker_session.get_caller_identity_arn()
 
-    if 'role' in arn:
+    if ':role/' in arn:
         return arn
     message = 'The current AWS identity is not a role: {}, therefore it cannot be used as a SageMaker execution role'
     raise ValueError(message.format(arn))
diff --git a/tests/unit/test_session.py b/tests/unit/test_session.py
@@ -65,6 +65,15 @@ def test_get_execution_role_throws_exception_if_arn_is_not_role():
     assert 'ValueError: The current AWS identity is not a role' in str(error)
 
 
+def test_get_execution_role_throws_exception_if_arn_is_not_role_with_role_in_name():
+    session = Mock()
+    session.get_caller_identity_arn.return_value = 'arn:aws:iam::369233609183:user/marcos-role'
+
+    with pytest.raises(ValueError) as error:
+        get_execution_role(session)
+    assert 'ValueError: The current AWS identity is not a role' in str(error)
+
+
 def test_get_caller_identity_arn_from_an_user(boto_session):
     sess = Session(boto_session)
     arn = 'arn:aws:iam::369233609183:user/mia'
