Amazon Resource Names (ARNs)
Amazon Resource Names (ARNs) uniquely identify Amazon resources. We require an ARN when you need to specify a resource unambiguously across all of Amazon, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls.
ARN format
The following are the general formats for ARNs. The specific formats depend on the
resource. To use an ARN, replace the italicized
text with the
resource-specific information. Be aware that the ARNs for some resources omit the
Region, the account ID, or both the Region and the account ID.
arn:
partition
:service
:region
:account-id
:resource-id
arn:partition
:service
:region
:account-id
:resource-type
/resource-id
arn:partition
:service
:region
:account-id
:resource-type
:resource-id
partition
-
The partition in which the resource is located. A partition is a group of Amazon Regions. Each Amazon account is scoped to one partition.
The following are the supported partitions:
-
aws
- Amazon Regions -
aws-cn
- China Regions -
aws-us-gov
- Amazon GovCloud (US) Regions
-
service
-
The service namespace that identifies the Amazon product.
region
-
The Region code.
account-id
-
The ID of the Amazon account that owns the resource, without the hyphens. For example,
123456789012
. resource-type
-
The resource type. For example,
vpc
for a virtual private cloud (VPC). resource-id
-
The resource identifier. This is the name of the resource, the ID of the resource, or a resource path. Some resource identifiers include a parent resource (sub-resource-type/parent-resource/sub-resource) or a qualifier such as a version (resource-type:resource-name:qualifier).
Examples
- IAM user
-
arn:aws-cn:iam::
123456789012
:user/johndoe
- SNS topic
-
arn:aws-cn:sns:
us-east-1
:123456789012
:example-sns-topic-name
- VPC
-
arn:aws-cn:ec2:
us-east-1
:123456789012
:vpc/vpc-0e9801d129EXAMPLE
Look up the ARN format for a resource
To look up the ARN format for a specific Amazon resource, open the Service Authorization Reference, open the page for the service, and navigate to the resource types table.
Paths in ARNs
Resource ARNs can include a path. For example, in Amazon S3, the resource identifier is an
object name that can include slashes (/
) to form a path. Similarly,
IAM user names and group names can include paths.
Paths can include a wildcard character, namely an asterisk (*
). For
example, if you are writing an IAM policy, you can specify all IAM users that have
the path product_1234
using a wildcard as follows:
arn:aws-cn:iam::123456789012:user/Development/product_1234/*
Similarly, you can specify user/*
to mean all users or
group/*
to mean all groups, as in the following examples:
"Resource":"arn:aws-cn:iam::123456789012:user/*" "Resource":"arn:aws-cn:iam::123456789012:group/*"
The following example shows ARNs for an Amazon S3 bucket in which the resource name includes a path:
arn:aws-cn:s3:::my_corporate_bucket/* arn:aws-cn:s3:::my_corporate_bucket/Development/*
Incorrect wildcard usage
You cannot use a wildcard in the portion of the ARN that specifies the resource
type, such as the term user
in an IAM ARN. For example, the following
is not allowed.
arn:aws-cn:iam::123456789012:u* <== not allowed