From 00a2cc0b06c527f7ce16207d238dab941e4eecaf Mon Sep 17 00:00:00 2001
From: Quentin Long <qlo@yelp.com>
Date: Fri, 21 Jul 2023 17:09:36 -0700
Subject: [PATCH] Add error message when using spark-run with assume-aws-role

---
 service_configuration_lib/spark_config.py | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/service_configuration_lib/spark_config.py b/service_configuration_lib/spark_config.py
index b2021d5..c2704e8 100644
--- a/service_configuration_lib/spark_config.py
+++ b/service_configuration_lib/spark_config.py
@@ -163,10 +163,17 @@ def assume_aws_role(
     Checks that a web identity token is available, and if it is,
     get an aws session and return a credentials dictionary
     """
-    with open(key_file) as creds_file:
-        creds_dict = yaml.load(creds_file.read(), Loader=yaml.SafeLoader)
-        access_key = creds_dict['AccessKeyId']
-        secret_key = creds_dict['SecretAccessKey']
+    try:
+        with open(key_file) as creds_file:
+            creds_dict = yaml.load(creds_file.read(), Loader=yaml.SafeLoader)
+            access_key = creds_dict['AccessKeyId']
+            secret_key = creds_dict['SecretAccessKey']
+    except PermissionError:
+        log.warning(
+            'If using spark-run as a human, you must manually export '
+            'AWS session credentials first. See y/spark-run-aws-role',
+        )
+        raise
     timestamp = int(time.time())
     client = boto3.client('sts', aws_access_key_id=access_key, aws_secret_access_key=secret_key)
     resp = client.assume_role(