--role-base-arn-autodetect does not work when instance profile has an IAM path other than '/'

uswitch / kiam

Integrate AWS IAM with Kubernetes

Apache License 2.0

1.15k stars 238 forks source link

--role-base-arn-autodetect does not work when instance profile has an IAM path other than '/' #32

Closed 2rs2ts closed 6 years ago

2rs2ts commented 6 years ago

Current code in question: https://github.com/uswitch/kiam/blob/77d85897e66a0c3ab2d8cbab373a607b371f9865/pkg/aws/sts/resolver_detect_arn.go#L54-L60

It is quite possible for the ARN to have more than one / in it due to having an IAM path other than /. For example arn:aws:iam::account-id:instance-profile/mypath/role-name.

This should be accounted for in the split, or perhaps it may be more prudent to just get the current account ID and interpolate that into arn:aws:iam::%s:role.

pingles commented 6 years ago

Thanks for reporting this.

I've tagged the merged code change in as v2.6.