search

aws / aws-sdk-js-v3

Modularized AWS SDK for JavaScript.
Apache License 2.0
3.06k stars 573 forks source link

SageMaker CreatePresignedDomainUrlCommandInput doesn't respect case sensitive UserProfileName parameter #6514

Open ericpapaluca opened 6 days ago

ericpapaluca commented 6 days ago

Checkboxes for prior research

Describe the bug

When using the SageMaker SDK with the CreatePresignedDomainUrlCommand, case sensitivity is not respected in the UserProfileName parameter. This causes the command to fail when the username is not entirely lowercase.

Regression Issue

SDK version number

"@aws-sdk/client-sagemaker": "3.658.0"

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

node -v v18.19.1

Reproduction Steps

Given a SageMaker domain with domainId d-12345 and a user named PowerUser, execute the following:


const client = new SageMakerClient();

const input: CreatePresignedDomainUrlCommandInput = {
    DomainId: "d-12345", 
    UserProfileName: "PowerUser", 
    SessionExpirationDurationInSeconds: 28800,
};

const command = new CreatePresignedDomainUrlCommand(input);
const response = await client.send(command);

Observed Behavior

Due to my client's security posture and usage of permission's boundaries, the error I receive is the following:

<guid>    ERROR   Invoke Error    {"errorType":"AccessDeniedException","errorMessage":"User: <myRoleWithCorrectPermissions> is not authorized to perform: sagemaker:CreatePresignedDomainUrl on resource: arn:aws:sagemaker:us-east-1:ACCOUNT_NUMBER:user-profile/d-12345/poweruser because no permissions boundary allows the sagemaker:CreatePresignedDomainUrl action","name":"AccessDeniedException","$fault":"client","$metadata":{"httpStatusCode":400,"requestId":"foo","attempts":1,"totalRetryDelay":0},"__type":"AccessDeniedException"

This is the same error as the user not being found, looking further at the resource ARN of: arn:aws:sagemaker:us-east-1:ACCOUNT_NUMBER:user-profile/d-12345/poweruser We can see the PascalCase userProfileName in the parameters is changed to lowercase, causing the resource to be invalid.

I repeated this with a new username of test, all lowercase and the exact same code in the generation was successful.

Expected Behavior

A presigned URL is returned for the user PowerUser

Possible Solution

UserProfileName parameter is not respecting the case of the input

Additional Information/Context

No response

zshzbh commented 1 day ago

Hey @ericpapaluca ,

Thanks for the feedback!

I'm using @aws-sdk/client-sagemaker": "^3.658.0 and node version v18.19.1 and I didn't have this issue.

The code I have : 

import {SageMakerClient,CreatePresignedDomainUrlCommand } from"@aws-sdk/client-sagemaker"
const client = new SageMakerClient({region: "us-east-1"});

const input = {
    DomainId: "d-xxxxx", 
    UserProfileName: "PowerUse", 
    SessionExpirationDurationInSeconds: 28800,
};

const command = new CreatePresignedDomainUrlCommand(input);
const response = await client.send(command); 
console.log(response)

The result I have : 

{
  '$metadata': {
    httpStatusCode: 200,
    requestId: 'XXXX-b284-48d7-930c-48e627fc71b3',
    extendedRequestId: undefined,
    cfId: undefined,
    attempts: 1,
    totalRetryDelay: 0
  },
  AuthorizedUrl: 'hxxxxxxx'

I got the 200 OK result.

I intentionally delete an r and use UserProfileName: "PowerUse",, then I get the following error ResourceNotFound: UserProfile [arn:aws:sagemaker:us-east-1:471112623206:user-profile/d-neeam48ovzvf/PowerUse] does not exist

I can't reproduce this issue and the sdk does show the uppercase PowerUse here.

zshzbh commented 1 day ago

I'd like to suggest

  1. remove node modules as well as aws pkgs and reinstall them
  2. update node version&sdk version
  3. rebuild the app

If the issue persists, please add the following code to the app to get request headers and we can check from there: 

client.middlewareStack.add(next => async (args) => {
    console.log(args.request)
    const response = await next(args);
    console.log(response);
    return response;
   }, {step: 'finalizeRequest'})

Thanks! Maggie