@joelthompson from earlier discussions I feel like this might help some and break others. Thoughts?

@jefferai -- tl;dr: I'm pretty confident this particular change is safe.

For the change we were discussing in #2729 relates to the IAM auth method only and how users are inputting the bound IAM principal ARN. The only time this code here gets called is using either the ec2 auth method or inferring an EC2 instance, and specifying a bound _iam_role_arn. Vault reads the IAM instance profile ARN out of the the EC2 API then parses that for the sole purpose of looking up the IAM role that is attached to the instance profile.

Currently, Vault is improperly parsing the IAM instance profile arn, and when there is a path component to the profile (e.g., for an ARN of arn:aws:iam::123456789012:instance-profile/path/ProfileName the path would be "/path/"), Vault includes the path in the actual name, resulting in an instance profile "name" that looks like "path/ProfileName". That is an invalid name; the API docs for iam:GetInstanceProfile have a regex that doesn't allow "/" in the name, and it results in an error for the client every time. In fact, the path component isn't even a parameter in any of the instance profile API methods except iam:CreateInstanceProfile and iam:ListInstanceProfiles.

The only way I can think that this would break a user is if that user has an instance profile name with a "/" in it, but that's not allowed by AWS and breaks every time (and, e.g., the iam:CreateInstanceProfile docs have the same regex for allowed names, so there's no way to even create such an instance profile in the first place), so I can't think of a way this would break any existing users.

@joelthompson many thanks for digging in and looking!