zerth
commented
7 years ago This sounds reasonable; hologram already returns fake data for other endpoints, and sanity-preserving instance profiles have the same name as the contained role anyway.
Open joelthompson opened 7 years ago
zerth
commented
7 years ago This sounds reasonable; hologram already returns fake data for other endpoints, and sanity-preserving instance profiles have the same name as the contained role anyway.
Hologram doesn't expose the
iam/infoendpoint.In an EC2 instance, the
iam/infoendpoint exposes (among other things) the ARN of the instance profile associated with the instance. However, with Hologram, there is no instance profile, only an arn. It could generate a fake instance profile based on the role ARN, e.g., if the current role ARN isarn:aws:iam::123456789012:role/MyRolethen exposearn:aws:iam::123456789012:instance-profile/MyRoleThis will solve one particular class of use case -- clients that expect the
iam/infoendpoint to exist but don't need it to resolve to the ARN of a real instance profile. See hashicorp/terraform#12704 and hashicorp/terraform#12951 for one such use case. But, it wouldn't solve for the use case where a client expects the returned ARN to correspond to an actual instance profile.Thoughts?