Fix IDC role ARN resolution using IAM API for EKS access validation (#303)

papriwal · web-flow · commit bc62d4fb97e9 · 2025-11-11T13:34:41.000-08:00
* Fix IDC role ARN resolution using IAM API for EKS access validation

**Description**

Resolves AWS Identity Center (IDC) role ARN resolution failures during EKS access validation by implementing IAM GetRole API calls instead of string replacement. IDC roles have complex path structures (e.g., /aws-reserved/sso.amazonaws.com/region/) that are not present in assumed role ARNs but required in base role ARNs.

Changes:
- Add IAM GetRole API call to retrieve authoritative base role ARN
- Implement graceful fallback to string replacement when IAM API fails
- Add input validation for extracted role names
- Replace debug print statements with proper logging
- Maintain backward compatibility for all existing role types

**Testing Done**

- Added comprehensive unit tests covering IAM API success/failure scenarios
- Tested IDC role ARN transformation with mock IAM responses
- Verified fallback behavior for access denied and cross-account cases
- Confirmed backward compatibility with existing simple role cases
diff --git a/src/sagemaker/hyperpod/cli/cluster_utils.py b/src/sagemaker/hyperpod/cli/cluster_utils.py
@@ -24,7 +24,7 @@ def _get_current_aws_identity(session: boto3.Session) -> Tuple[str, str]:
     """
     sts_client = session.client('sts')
     identity = sts_client.get_caller_identity()
-    
+
     arn = identity['Arn']
     
     # Determine identity type
@@ -39,10 +39,22 @@ def _get_current_aws_identity(session: boto3.Session) -> Tuple[str, str]:
         # becomes arn:aws:iam::123456789012:role/MyRole
         parts = arn.split('/')
         if len(parts) >= 3:
-            base_arn = arn.replace(':sts:', ':iam:').replace(':assumed-role/', ':role/').rsplit('/', 1)[0]
-            arn = base_arn
+            role_name = parts[1]  # Extract role name from ARN
+        
+            # Try IAM API first (preferred method)
+            try:
+                iam_client = session.client('iam')
+                role_response = iam_client.get_role(RoleName=role_name)
+                # Use actual ARN from IAM API
+                arn = role_response['Role']['Arn']
+                logger.debug(f"Retrieved base role ARN from IAM API: {arn}")
+            except Exception as e:
+                logger.debug(f"IAM API failed, falling back to string replacement: {e}")
+                arn = arn.replace(':sts:', ':iam:').replace(':assumed-role/', ':role/').rsplit('/', 1)[0]
     else:
         identity_type = 'unknown'
+
+    logger.debug(f"Resolved identity - ARN: {arn}, Type: {identity_type}")
     
     return arn, identity_type
 
diff --git a/test/unit_tests/cli/test_cluster_utils.py b/test/unit_tests/cli/test_cluster_utils.py
@@ -341,3 +341,173 @@ def test_unexpected_error(self, mock_get_identity):
         assert has_access is False
         assert 'Unexpected error validating EKS access' in message
         assert 'Unexpected error' in message
+
+    def test_assumed_role_with_iam_api_success(self):
+        """Test assumed role with successful IAM API call (IDC role case)."""
+        # Mock session with both STS and IAM clients
+        mock_session = Mock()
+        mock_sts_client = Mock()
+        mock_iam_client = Mock()
+        
+        def mock_client(service):
+            if service == 'sts':
+                return mock_sts_client
+            elif service == 'iam':
+                return mock_iam_client
+        
+        mock_session.client.side_effect = mock_client
+        
+        # Mock STS response for IDC assumed role
+        mock_sts_client.get_caller_identity.return_value = {
+            'Arn': 'arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_AdministratorAccess_abc123/user-session'
+        }
+        
+        # Mock IAM response with correct base role ARN
+        mock_iam_client.get_role.return_value = {
+            'Role': {
+                'Arn': 'arn:aws:iam::123456789012:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AdministratorAccess_abc123'
+            }
+        }
+        
+        # Call function
+        arn, identity_type = _get_current_aws_identity(mock_session)
+        
+        # Assertions
+        assert arn == 'arn:aws:iam::123456789012:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AdministratorAccess_abc123'
+        assert identity_type == 'assumed-role'
+        mock_iam_client.get_role.assert_called_once_with(RoleName='AWSReservedSSO_AdministratorAccess_abc123')
+
+    def test_assumed_role_with_iam_api_access_denied(self):
+        """Test assumed role with IAM API access denied (fallback to string replacement)."""
+        # Mock session with both STS and IAM clients
+        mock_session = Mock()
+        mock_sts_client = Mock()
+        mock_iam_client = Mock()
+        
+        def mock_client(service):
+            if service == 'sts':
+                return mock_sts_client
+            elif service == 'iam':
+                return mock_iam_client
+        
+        mock_session.client.side_effect = mock_client
+        
+        # Mock STS response
+        mock_sts_client.get_caller_identity.return_value = {
+            'Arn': 'arn:aws:sts::123456789012:assumed-role/MyRole/session-name'
+        }
+        
+        # Mock IAM API failure (access denied)
+        mock_iam_client.get_role.side_effect = ClientError(
+            error_response={'Error': {'Code': 'AccessDenied', 'Message': 'Access denied'}},
+            operation_name='GetRole'
+        )
+        
+        # Call function
+        arn, identity_type = _get_current_aws_identity(mock_session)
+        
+        # Assertions - should fall back to string replacement
+        assert arn == 'arn:aws:iam::123456789012:role/MyRole'
+        assert identity_type == 'assumed-role'
+        mock_iam_client.get_role.assert_called_once_with(RoleName='MyRole')
+
+    def test_assumed_role_with_iam_api_role_not_found(self):
+        """Test assumed role with IAM API role not found (fallback to string replacement)."""
+        # Mock session with both STS and IAM clients
+        mock_session = Mock()
+        mock_sts_client = Mock()
+        mock_iam_client = Mock()
+        
+        def mock_client(service):
+            if service == 'sts':
+                return mock_sts_client
+            elif service == 'iam':
+                return mock_iam_client
+        
+        mock_session.client.side_effect = mock_client
+        
+        # Mock STS response
+        mock_sts_client.get_caller_identity.return_value = {
+            'Arn': 'arn:aws:sts::123456789012:assumed-role/CrossAccountRole/session-name'
+        }
+        
+        # Mock IAM API failure (role not found - cross-account case)
+        mock_iam_client.get_role.side_effect = ClientError(
+            error_response={'Error': {'Code': 'NoSuchEntity', 'Message': 'Role not found'}},
+            operation_name='GetRole'
+        )
+        
+        # Call function
+        arn, identity_type = _get_current_aws_identity(mock_session)
+        
+        # Assertions - should fall back to string replacement
+        assert arn == 'arn:aws:iam::123456789012:role/CrossAccountRole'
+        assert identity_type == 'assumed-role'
+        mock_iam_client.get_role.assert_called_once_with(RoleName='CrossAccountRole')
+
+    def test_assumed_role_with_iam_api_unexpected_error(self):
+        """Test assumed role with IAM API unexpected error (fallback to string replacement)."""
+        # Mock session with both STS and IAM clients
+        mock_session = Mock()
+        mock_sts_client = Mock()
+        mock_iam_client = Mock()
+        
+        def mock_client(service):
+            if service == 'sts':
+                return mock_sts_client
+            elif service == 'iam':
+                return mock_iam_client
+        
+        mock_session.client.side_effect = mock_client
+        
+        # Mock STS response
+        mock_sts_client.get_caller_identity.return_value = {
+            'Arn': 'arn:aws:sts::123456789012:assumed-role/MyRole/session-name'
+        }
+        
+        # Mock IAM API unexpected error
+        mock_iam_client.get_role.side_effect = Exception('Network timeout')
+        
+        # Call function
+        arn, identity_type = _get_current_aws_identity(mock_session)
+        
+        # Assertions - should fall back to string replacement
+        assert arn == 'arn:aws:iam::123456789012:role/MyRole'
+        assert identity_type == 'assumed-role'
+        mock_iam_client.get_role.assert_called_once_with(RoleName='MyRole')
+
+    def test_assumed_role_with_custom_path_success(self):
+        """Test assumed role with custom path retrieved via IAM API."""
+        # Mock session with both STS and IAM clients
+        mock_session = Mock()
+        mock_sts_client = Mock()
+        mock_iam_client = Mock()
+        
+        def mock_client(service):
+            if service == 'sts':
+                return mock_sts_client
+            elif service == 'iam':
+                return mock_iam_client
+        
+        mock_session.client.side_effect = mock_client
+        
+        # Mock STS response
+        mock_sts_client.get_caller_identity.return_value = {
+            'Arn': 'arn:aws:sts::123456789012:assumed-role/MyCustomRole/session-name'
+        }
+        
+        # Mock IAM response with custom path
+        mock_iam_client.get_role.return_value = {
+            'Role': {
+                'Arn': 'arn:aws:iam::123456789012:role/custom/path/MyCustomRole'
+            }
+        }
+        
+        # Call function
+        arn, identity_type = _get_current_aws_identity(mock_session)
+        
+        # Assertions
+        assert arn == 'arn:aws:iam::123456789012:role/custom/path/MyCustomRole'
+        assert identity_type == 'assumed-role'
+        mock_iam_client.get_role.assert_called_once_with(RoleName='MyCustomRole')
+
