In an EC2 instance, the iam/info endpoint exposes (among other things) the ARN of the instance profile associated with the instance. However, with Hologram, there is no instance profile, only an arn. It could generate a fake instance profile based on the role ARN, e.g., if the current role ARN is arn:aws:iam::123456789012:role/MyRole then expose arn:aws:iam::123456789012:instance-profile/MyRole
This will solve one particular class of use case -- clients that expect the iam/info endpoint to exist but don't need it to resolve to the ARN of a real instance profile. See hashicorp/terraform#12704 and hashicorp/terraform#12951 for one such use case. But, it wouldn't solve for the use case where a client expects the returned ARN to correspond to an actual instance profile.
This sounds reasonable; hologram already returns fake data for other endpoints, and sanity-preserving instance profiles have the same name as the contained role anyway.
Hologram doesn't expose the
iam/info
endpoint.In an EC2 instance, the
iam/info
endpoint exposes (among other things) the ARN of the instance profile associated with the instance. However, with Hologram, there is no instance profile, only an arn. It could generate a fake instance profile based on the role ARN, e.g., if the current role ARN isarn:aws:iam::123456789012:role/MyRole
then exposearn:aws:iam::123456789012:instance-profile/MyRole
This will solve one particular class of use case -- clients that expect the
iam/info
endpoint to exist but don't need it to resolve to the ARN of a real instance profile. See hashicorp/terraform#12704 and hashicorp/terraform#12951 for one such use case. But, it wouldn't solve for the use case where a client expects the returned ARN to correspond to an actual instance profile.Thoughts?