I believe there is a bug in this client where paths in role ARNs aren't working.

Basically, if you have an instance-profile ARN like: arn:aws:iam::1234567890123:instance-profile/foobar/foo/foo-app

The role ARN needs to be contructed to look like this: arn:aws:iam::1234567890123:role/foobar/foo/foo-app

We had the same issue in the java client and the fix can be found in how we generate role ARNs from the metadata endpoints in this class,
https://github.com/Nike-Inc/cerberus-java-client/blob/master/src/main/java/com/nike/cerberus/client/auth/aws/InstanceRoleVaultCredentialsProvider.java

See method buildIamRoleArns() and the args for that method should be gathered from the two endpoints:

1. EC2MetadataUtils.getIAMInstanceProfileInfo().instanceProfileArn; e.g. http://169.254.169.254/latest/meta-data/iam/info
2. EC2MetadataUtils.getIAMSecurityCredentials().keySet(); e.g. http://169.254.169.254/latest/meta-data/iam/security-credentials/

Above handles the pathing edge case as well as another that occurs in CloudFormation where the role name doesn't match the instance profile name.

@tlisonbee I haven't seen paths in role ARNs before. How do you setup a role so that it is referenced that way?