# Authenticating and authorizing for directory buckets in Local Zones
<a name="iam-directory-bucket-LZ"></a>

Directory buckets in Local Zones support both Amazon Identity and Access Management (IAM) authorization and session-based authorization. For more information about authentication and authorization for directory buckets, see [Authenticating and authorizing requests](s3-express-authenticating-authorizing.md).

## Resources
<a name="directory-bucket-lz-resources"></a>

Amazon Resource Names (ARNs) for directory buckets contain the `s3express` namespace, the Amazon parent Region, the Amazon Web Services account ID, and the directory bucket name which includes the Zone ID. To access and perform actions on your directory bucket, you must use the following ARN format:

```
arn:aws:s3express:{{region-code}}:{{account-id}}:bucket/{{bucket-base-name}}--{{ZoneID}}--x-s3
```

For directory buckets in a Local Zone, the Zone ID is the ID of the Local Zone. For more information about directory buckets in Local Zones, see [Concepts for directory buckets in Local Zones](s3-lzs-for-directory-buckets.md). For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference-arns.html) in the *IAM User Guide*. For more information about resources, see [IAM JSON Policy Elements: Resource](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_resource.html) in the *IAM User Guide*.

**Note**  
The condition key `s3express:AllAccessRestrictedToLocalZoneGroup` isn't supported in the Beijing Local Zone.