Bug: paths in role ARNs aren't supported
Opened this issue · 1 comments
I believe there is a bug in this client where paths in role ARNs aren't working.
Basically, if you have an instance-profile ARN like: arn:aws:iam::1234567890123:instance-profile/foobar/foo/foo-app
The role ARN needs to be contructed to look like this: arn:aws:iam::1234567890123:role/foobar/foo/foo-app
We had the same issue in the java client and the fix can be found in how we generate role ARNs from the metadata endpoints in this class,
https://github.com/Nike-Inc/cerberus-java-client/blob/master/src/main/java/com/nike/cerberus/client/auth/aws/InstanceRoleVaultCredentialsProvider.java
See method buildIamRoleArns() and the args for that method should be gathered from the two endpoints:
- EC2MetadataUtils.getIAMInstanceProfileInfo().instanceProfileArn; e.g. http://169.254.169.254/latest/meta-data/iam/info
- EC2MetadataUtils.getIAMSecurityCredentials().keySet(); e.g. http://169.254.169.254/latest/meta-data/iam/security-credentials/
Above handles the pathing edge case as well as another that occurs in CloudFormation where the role name doesn't match the instance profile name.
People have hit this issue with Java and Node, though I don't know of anyone that has hit it with Ruby. This is probably low priority.