Skip to content

fix: ModelBuilder resolves private hub artifacts correctly#5985

Open
lhnealreilly wants to merge 1 commit into
aws:masterfrom
lhnealreilly:fix/private-hub-artifact-resolution
Open

fix: ModelBuilder resolves private hub artifacts correctly#5985
lhnealreilly wants to merge 1 commit into
aws:masterfrom
lhnealreilly:fix/private-hub-artifact-resolution

Conversation

@lhnealreilly

Copy link
Copy Markdown
Contributor

Fix two defects causing ModelBuilder to ignore private hub when resolving model artifacts, forcing the execution role to access the public JumpStart S3 cache bucket.

Defect 1: from_jumpstart_config sets hub_name AFTER init has already called _initialize_jumpstart_config(), which takes the else branch and sets hub_arn = None. Fix: call _initialize_jumpstart_config() again after setting hub_name so hub_arn is correctly derived.

Defect 2: _build_for_jumpstart does not forward hub_arn to get_init_kwargs, causing model data to resolve from the public catalog. Fix: pass hub_arn=getattr(self, 'hub_arn', None) to all get_init_kwargs call sites in the build path (_build_for_jumpstart, _detect_jumpstart_image).

Impact: Customers deploying from private hubs via ModelBuilder no longer need to grant their execution role s3:GetObject on the public JumpStart cache bucket.

Testing:

  • 8 unit tests covering both defects and end-to-end flow
  • Integration test for private hub deployment (requires env config)

Issue #, if available:

Description of changes:

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@lhnealreilly lhnealreilly force-pushed the fix/private-hub-artifact-resolution branch from 73c3510 to c85e4c4 Compare July 2, 2026 02:36
@lhnealreilly lhnealreilly force-pushed the fix/private-hub-artifact-resolution branch from c85e4c4 to f265dce Compare July 2, 2026 14:50
@lhnealreilly lhnealreilly force-pushed the fix/private-hub-artifact-resolution branch from f265dce to 5cc330b Compare July 2, 2026 15:56
@lhnealreilly lhnealreilly force-pushed the fix/private-hub-artifact-resolution branch from 5cc330b to 93c38e7 Compare July 2, 2026 17:59
Fix three defects causing ModelBuilder to ignore private hub when resolving
model artifacts, forcing the execution role to access the public JumpStart
S3 cache bucket.

Defect 1: from_jumpstart_config sets hub_name AFTER __init__ has already
called _initialize_jumpstart_config(), which takes the else branch and
sets hub_arn = None. Fix: derive hub_arn inline after setting hub_name.

Defect 2: _build_for_jumpstart does not forward hub_arn or sagemaker_session
to get_init_kwargs, causing model data to resolve from the public catalog.
Fix: pass hub_arn (when set) and sagemaker_session to all get_init_kwargs
call sites in the build path.

Defect 3: The v3 Session class (sagemaker.core.helper.session_helper.Session)
is missing hub API methods (describe_hub_content, list_hub_content_versions,
list_hub_contents) that the JumpStart cache calls during hub content
resolution. Fix: add these methods as thin wrappers around the boto3
sagemaker_client calls.

Impact: Customers deploying from private hubs via ModelBuilder no longer
need to grant their execution role s3:GetObject on the public JumpStart
cache bucket.

Testing:
- 8 new unit tests covering hub_arn derivation, forwarding, and e2e flow
- 2 existing unit tests updated to match new call signatures
@lhnealreilly lhnealreilly force-pushed the fix/private-hub-artifact-resolution branch from 93c38e7 to ae1f6cf Compare July 2, 2026 19:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants