IAM identifiers - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM identifiers

IAM uses a few different identifiers for users, user groups, roles, policies, and server certificates. This section describes the identifiers and when you use each.

Friendly names and paths

When you create a user, a role, a user group, or a policy, or when you upload a server certificate, you give it a friendly name. Examples include Bob, TestApp1, Developers, ManageCredentialsPermissions, or ProdServerCert.

If you use the IAM API or Amazon Command Line Interface (Amazon CLI) to create IAM resources, you can add an optional path. You can use a single path, or nest multiple paths as a folder structure. For example, you could use the nested path /division_abc/subdivision_xyz/product_1234/engineering/ to match your company organizational structure. You could then create a policy to allow all users in that path to access the policy simulator API. To view this policy, see IAM: Access the policy simulator API based on user path. For information about how a friendly name can be specified, see the User API documentation. For additional examples of how you might use paths, see IAM ARNs.

When you use Amazon CloudFormation to create resources, you can specify a path for users, user groups, and roles, and customer managed policies.

If you have a user and user group in the same path, IAM doesn't automatically put the user in that user group. For example, you might create a Developers user group and specify the path as /division_abc/subdivision_xyz/product_1234/engineering/. If you create a user named Bob and add the same path to him, this doesn't automatically put Bob in the Developers user group. IAM doesn't enforce any boundaries between users or user groups based on their paths. Users with different paths can use the same resources if they've been granted permission to those resources. The number and size of IAM resources in an Amazon account are limited. For more information, see IAM and Amazon STS quotas.


Most resources have a friendly name for example, a user named Bob or a user group named Developers. However, the permissions policy language requires you to specify the resource or resources using the following Amazon Resource Name (ARN) format.



  • partition identifies the partition for the resource. For standard Amazon Regions, the partition is aws. If you have resources in other partitions, the partition is aws-partitionname. For example, the partition for resources in the China (Beijing) Region is aws-cn. You cannot delegate access between accounts in different partitions.

  • service identifies the Amazon product. IAM resources always use iam.

  • region identifies the Region of the resource. For IAM resources, this is always kept blank.

  • account specifies the Amazon Web Services account ID with no hyphens.

  • resource identifies the specific resource by name.

You can specify IAM and Amazon STS ARNs using the following syntax. The Region portion of the ARN is blank because IAM resources are global.


arn:aws-cn:iam::account:root arn:aws-cn:iam::account:user/user-name-with-path arn:aws-cn:iam::account:group/group-name-with-path arn:aws-cn:iam::account:role/role-name-with-path arn:aws-cn:iam::account:policy/policy-name-with-path arn:aws-cn:iam::account:instance-profile/instance-profile-name-with-path arn:aws-cn:sts::account:federated-user/user-name arn:aws-cn:sts::account:assumed-role/role-name/role-session-name arn:aws-cn:sts::account:self arn:aws-cn:iam::account:mfa/virtual-device-name-with-path arn:aws-cn:iam::account:u2f/u2f-token-id arn:aws-cn:iam::account:server-certificate/certificate-name-with-path arn:aws-cn:iam::account:saml-provider/provider-name arn:aws-cn:iam::account:oidc-provider/provider-name

Many of the following examples include paths in the resource part of the ARN. Paths cannot be created or manipulated in the Amazon Web Services Management Console. To use paths, you must work with the resource by using the Amazon API, the Amazon CLI, or the Tools for Windows PowerShell.


arn:aws-cn:iam::123456789012:root arn:aws-cn:iam::123456789012:user/JohnDoe arn:aws-cn:iam::123456789012:user/division_abc/subdivision_xyz/JaneDoe arn:aws-cn:iam::123456789012:group/Developers arn:aws-cn:iam::123456789012:group/division_abc/subdivision_xyz/product_A/Developers arn:aws-cn:iam::123456789012:role/S3Access arn:aws-cn:iam::123456789012:role/application_abc/component_xyz/RDSAccess arn:aws-cn:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer arn:aws-cn:iam::123456789012:role/service-role/QuickSightAction arn:aws-cn:iam::123456789012:policy/UsersManageOwnCredentials arn:aws-cn:iam::123456789012:policy/division_abc/subdivision_xyz/UsersManageOwnCredentials arn:aws-cn:iam::123456789012:instance-profile/Webserver arn:aws-cn:sts::123456789012:federated-user/JohnDoe arn:aws-cn:sts::123456789012:assumed-role/Accounting-Role/JaneDoe arn:aws-cn:sts::123456789012:self arn:aws-cn:iam::123456789012:mfa/JaneDoeMFA arn:aws-cn:iam::123456789012:u2f/user/JohnDoe/default (U2F security key) arn:aws-cn:iam::123456789012:server-certificate/ProdServerCert arn:aws-cn:iam::123456789012:server-certificate/division_abc/subdivision_xyz/ProdServerCert arn:aws-cn:iam::123456789012:saml-provider/ADFSProvider arn:aws-cn:iam::123456789012:oidc-provider/GoogleProvider arn:aws-cn:iam::123456789012:oidc-provider/oidc.eks.us-west-2.amazonaws.com.cn/id/a1b2c3d4567890abcdefEXAMPLE11111 arn:aws-cn:iam::123456789012:oidc-provider/server.example.org

The following examples provide more detail to help you understand the ARN format for different types of IAM and Amazon STS resources.

  • An IAM user in the account:


    Each IAM user name is unique. The user name is case-insensitive for the user, such as during the sign in process, but is case-sensitive when you use it in a policy or as part of an ARN.

  • Another user with a path reflecting an organization chart:

  • An IAM user group:

  • An IAM user group with a path:

  • An IAM role:

  • A service-linked role:

  • A service role:

  • A managed policy:

  • An instance profile that can be associated with an Amazon EC2 instance:

  • A federated user identified in IAM as "Paulo":

  • The active session of someone assuming the role of "Accounting-Role", with a role session name of "Mary":

  • Represents the caller's own session when used as a resource in an API call, such as the Amazon STS SetContext API, that operates on the calling session:

  • The multi-factor authentication device assigned to the user named Jorge:

  • A server certificate:

  • A server certificate with a path that reflects an organization chart:

  • Identity providers (SAML and OIDC):

    arn:aws-cn:iam::123456789012:saml-provider/ADFSProvider arn:aws-cn:iam::123456789012:oidc-provider/GoogleProvider arn:aws-cn:iam::123456789012:oidc-provider/server.example.org
  • OIDC identity provider with a path that reflects an Amazon EKS OIDC identity provider URL:


Another important ARN is the root user ARN. Although this is not an IAM resource, you should be familiar with the format of this ARN. It is often used in the Principal element of a resource-based policy.

  • The Amazon Web Services account displays the following:


The following example shows a policy you could assign to Richard to allow him to manage his access keys. Notice that the resource is the IAM user Richard.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ManageRichardAccessKeys", "Effect": "Allow", "Action": [ "iam:*AccessKey*", "iam:GetUser" ], "Resource": "arn:aws-cn:iam::*:user/division_abc/subdivision_xyz/Richard" }, { "Sid": "ListForConsole", "Effect": "Allow", "Action": "iam:ListUsers", "Resource": "*" } ] }

When you use ARNs to identify resources in an IAM policy, you can include policy variables. Policy variables can include placeholders for runtime information (such as the user's name) as part of the ARN. For more information, see IAM policy elements: Variables and tags

Using wildcards and paths in ARNs

You can use wildcards in the resource portion of the ARN to specify multiple users or user groups or policies. For example, to specify all users working on product_1234, you use:


If you have users whose names start with the string app_, you could refer to them all with the following ARN.


To specify all users, user groups, or policies in your Amazon Web Services account, use a wildcard after the user/, group/, or policy/ part of the ARN, respectively.

arn:aws-cn:iam::123456789012:user/* arn:aws-cn:iam::123456789012:group/* arn:aws-cn:iam::123456789012:policy/*

If you specify the following ARN for a user arn:aws-cn:iam::111122223333:user/* it matches both of the following examples.

arn:aws-cn:iam::111122223333:user/JohnDoe arn:aws-cn:iam::111122223333:user/division_abc/subdivision_xyz/JaneDoe

But, if you specify the following ARN for a user arn:aws-cn:iam::111122223333:user/division_abc* it matches the second example, but not the first.

arn:aws-cn:iam::111122223333:user/JohnDoe arn:aws-cn:iam::111122223333:user/division_abc/subdivision_xyz/JaneDoe

Don't use a wildcard in the user/, group/, or policy/ part of the ARN. For example, IAM does not allow the following:

Example use of paths and ARNs for a project-based user group

Paths cannot be created or manipulated in the Amazon Web Services Management Console. To use paths you must work with the resource by using the Amazon API, the Amazon CLI, or the Tools for Windows PowerShell.

In this example, Jules in the Marketing_Admin user group creates a project-based user group within the /marketing/ path. Jules assigns users from different parts of the company to the user group. This example illustrates that a user's path isn't related to the user groups the user is in.

The marketing group has a new product they'll be launching, so Jules creates a new user group in the /marketing/ path called Widget_Launch. Jules then assigns the following policy to the user group, which gives the user group access to objects in the part of the example_bucket that is designated to this particular launch.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws-cn:s3:::example_bucket/marketing/newproductlaunch/widget/*" }, { "Effect": "Allow", "Action": "s3:ListBucket*", "Resource": "arn:aws-cn:s3:::example_bucket", "Condition": {"StringLike": {"s3:prefix": "marketing/newproductlaunch/widget/*"}} } ] }

Jules then assigns the users who are working on this launch to the user group. This includes Patricia and Eli from the /marketing/ path. It also includes Chris and Chloe from the /sales/ path, and Alice and Jim from the /legal/ path.

Unique identifiers

When IAM creates a user, user group, role, policy, instance profile, or server certificate, it assigns a unique ID to each resource. The unique ID looks like this:


For the most part, you use friendly names and ARNs when you work with IAM resources. That way you don't need to know the unique ID for a specific resource. However, the unique ID can sometimes be useful when it isn't practical to use friendly names.

One example reuses friendly names in your Amazon Web Services account. Within your account, a friendly name for a user, user group, role, or policy must be unique. For example, you might create an IAM user named John. Your company uses Amazon S3 and has a bucket with folders for each employee. IAM user John is a member of an IAM user group named User-S3-Access with permissions that allows users access only to their own folders in the bucket. For an example of how you might create an identity-based policy that allows IAM users to access their own bucket object in S3 using the friendly name of users, see Amazon S3: Allows IAM users access to their S3 home directory, programmatically and in the console.

Suppose that the employee named John leaves your company and you delete the corresponding IAM user named John. But later another employee named John starts, and you create a new IAM user named John. You add the new IAM user named John to the existing IAM user group User-S3-Access. If the policy associated to the user group specifies the friendly IAM user name John, the policy allows the new John to access information that was left by the former John.

In general, we recommend that you specify the ARN for the resource in your policies instead of its unique ID. However, every IAM user has a unique ID, even if you create a new IAM user that reuses a friendly name you deleted before. In the example, the old IAM user John and the new IAM user John have different unique IDs. You can create resource-based policies that grant access by unique ID and not just by user name. Doing so reduces the chance that you could inadvertently grant access to information that an employee should not have.

The following example shows how you might specify unique IDs in the Principal element of a resource-based policy.

"Principal": { "AWS": [ "arn:aws-cn:iam::111122223333:role/role-name", "AIDACKCEVSQ6C2EXAMPLE", "AROADBQP57FF2AEXAMPLE" }

The following example shows how you might specify unique IDs in the Condition element of a policy using global condition key aws:userid.

"Condition": { "StringLike": { "aws:userId": [ "AIDACKCEVSQ6C2EXAMPLE", "AROADBQP57FF2AEXAMPLE:role-session-name", "AROA1234567890EXAMPLE:*", "111122223333" ] } }

Another example where user IDs can be useful is if you maintain your own database (or other store) of IAM user or role information. The unique ID can provide a unique identifier for each IAM user or role you create. This is the case when you have IAM users or roles that reuse a name, as in the previous example.

Understanding unique ID prefixes

IAM uses the following prefixes to indicate what type of resource each unique ID applies to. Prefixes may vary based on when they were created.

Prefix Resource type
ABIA Amazon STS service bearer token
ACCA Context-specific credential


User group


IAM user

AIPA Amazon EC2 instance profile
AKIA Access key

Managed policy


Version in a managed policy

APKA Public key
ASCA Certificate


Temporary (Amazon STS) access key IDs use this prefix, but are unique only in combination with the secret access key and the session token.

Getting the unique identifier

The unique ID for an IAM resource is not available in the IAM console. To get the unique ID, you can use the following Amazon CLI commands or IAM API calls.

Amazon CLI: