Kiam doesn't work the aws-go-sdk on m5/c5 instances

[elafarge]

First of all, thanks a lot for the great work on kiam. Providing the ability to grant IAM roles to pods i/o nodes is a big security improvement wrt. deploying Kubernetes clusters atop AWS :)

I came accross an issue with the Golang AWS SDK today though: somehow, my Golang pods were trying to assume the role given to their underlying EC2 instance instead of using the one I was providing in the annotation.

I think I found the cause of the issue: the AWS SDK in Go calls the /iam/security-credentials/ endpoint without the trailing slash and, therefore, kiam doesn't intercept the request and passes it to the "real" instance metadata API endpoint (https://github.com/aws/aws-sdk-go/blob/db3e1e27b1ace4fc57be9c5cf7cea0566bd12034/aws/credentials/ec2rolecreds/ec2_role_provider.go#L128).

I made a PR to make the trailing slash optional in gorilla/mux route configuration, it seems to fix the issue: #42 .

[elafarge]

As a matter of fact, this issue only occurs on generation 5 AWS instances (m5, c5, ...). See the related discussion here for details.

The fix has been merged in master, I'm closing the issue :)

[hjacobs]

For reference, kube2iam had the same issue: jtblin/kube2iam#130