better error checking

pkg/aws_config_server/assemble_config.go

@@ -57,11 +57,16 @@ func (a *ClientIDToAWSRoles) mapRoles(ctx context.Context, oidcProvider string)
 			CredentialsChainVerboseErrors: aws.Bool(true),
 		}
 		iamClient := a.awsClient.WithIAM(workerAWSConfig).IAM.Svc
-		workerRoles := listRoles(ctx, iamClient)
+		workerRoles, err := listRoles(ctx, iamClient)
+		if err != nil {
+			logrus.Error(err)
+			return errors.Wrapf(err, "%s error", accountName)
+		}
 
 		logrus.Debugf("function: aws_config_server/assemble_config.go/mapRoles(), workerRoles: %v", workerRoles)
-		err := clientRoleMapFromProfile(ctx, accountName, workerRoles, oidcProvider, a.clientRoleMapping)
+		err = clientRoleMapFromProfile(ctx, accountName, workerRoles, oidcProvider, a.clientRoleMapping)
 		if err != nil {
+			logrus.Error(err)
 			return errors.Wrap(err, "Unable to complete mapping between ClientIDs and ConfigProfiles")
 		}
 	}

pkg/aws_config_server/list_roles.go

@@ -45,7 +45,7 @@ type ConfigProfile struct {
 	roleName string
 }
 
-func listRoles(ctx context.Context, svc iamiface.IAMAPI) []*iam.Role {
+func listRoles(ctx context.Context, svc iamiface.IAMAPI) ([]*iam.Role, error) {
 	// Run the AWS list-roles command and save the output
 	input := &iam.ListRolesInput{}
 	output := []*iam.Role{}
@@ -57,10 +57,15 @@ func listRoles(ctx context.Context, svc iamiface.IAMAPI) []*iam.Role {
 		},
 	)
 	if err != nil {
-		logrus.Error(err)
+		if aerr, ok := err.(awserr.Error); ok {
+			if aerr.Code() == iam.ErrCodeInvalidAuthenticationCodeException {
+				logrus.Error(err)
+				return output, nil
+			}
+		}
+		return output, errors.Wrap(err, "Error listing IAM roles")
 	}
-
-	return output
+	return output, nil
 }
 
 type Action []string