If you are using AWS, you might have come across the term ARN, which stands for Amazon Resource Name. An ARN is a unique identifier for an AWS resource, such as an EC2 instance, an S3 bucket, a Lambda function, or an IAM user. ARNs are useful for specifying resources unambiguously across all of AWS, such as in IAM policies, Amazon RDS tags, and API calls.
In this blog post, we will explain what ARNs are, how they are structured, how to find them, and how to use them in your AWS applications.
What is an ARN?
An ARN is a string that consists of six components separated by colons:
- The prefix
arn, which indicates that this is an Amazon Resource Name. - The partition, which identifies the group of AWS regions that the resource belongs to. For example,
awsfor standard AWS regions,aws-cnfor China regions, andaws-us-govfor AWS GovCloud (US) regions. - The service, which identifies the AWS product that the resource is associated with. For example,
ec2for Amazon Elastic Compute Cloud,s3for Amazon Simple Storage Service, andiamfor AWS Identity and Access Management. - The region, which identifies the AWS region where the resource is located. For example,
us-east-1for US East (N. Virginia),eu-west-1for Europe (Ireland), andap-southeast-2for Asia Pacific (Sydney). Some resources do not have a region component, such as IAM users and global services like Amazon S3. - The account ID, which identifies the AWS account that owns the resource. This is a 12-digit number without hyphens. For example,
123456789012. - The resource ID, which identifies the specific resource within the service. This can be a name, an ID, a path, or a combination of these elements depending on the resource type. For example,
user/johndoefor an IAM user named johndoe,vpc/vpc-0e9801d129EXAMPLEfor a VPC with ID vpc-0e9801d129EXAMPLE, andfunction:api-function:1for a Lambda function named api-function with version 1.
Here are some examples of ARNs for different AWS resources:
| Resource | ARN |
|---|---|
| An IAM user named johndoe | arn:aws:iam::123456789012:user/johndoe |
| An S3 bucket named ams-bucket | arn:aws:s3:::ams-bucket |
| An EC2 instance with ID i-012abcd34efghi56 in US East (Ohio) | arn:aws:ec2:us-east-2:123456789012:instance/i-012abcd34efghi56 |
| A Lambda function named api-function with version 1 in US East (N. Virginia) | arn:aws:lambda:us-east-1:123456789012:function:api-function:1 |
How to find an ARN?
There are different ways to find the ARN of an AWS resource depending on the service and the resource type. Here are some common methods:
- AWS service console: You can go to the relevant AWS service console, locate the resource and find the ARN in the details or properties section of the resource.
- AWS CLI or API: You can use the AWS Command Line Interface (CLI) or the AWS Application Programming Interface (API) to query the information about the resource and get the ARN in the output. For example, you can use the following command to get the ARN of an IAM role named EMR_DefaultRole:
aws iam get-role --role-name EMR_DefaultRoleYou can find more information about the CLI commands and API operations for each service in the [AWS CLI Command Reference](https://docs.aws.amazon.com/cli/latest/reference/index.html) and the [AWS API Reference](https://docs.aws.amazon.com/index.html).
– Construct the ARN manually: You can also construct the ARN yourself by following the appropriate format for each resource type and filling in the information. You can find the ARN format for each service and resource type in the [AWS Service Authorization Reference](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html).
How to use an ARN?
You can use an ARN to refer to a specific AWS resource in various scenarios, such as:
– IAM policies: You can use an ARN to specify which resources a policy applies to or grants access to. For example, you can use an ARN to allow an IAM user to list only objects in a specific S3 bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::ams-bucket"
}
]
}You can also use wildcards (*) in ARNs to match multiple resources with a common prefix or suffix. For example, you can use an ARN to allow an IAM user to access all EC2 instances in US East (Ohio):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:", "Resource": "arn:aws:ec2:us-east-2:123456789012:instance/"
}
]
}You can find more information about how to use ARNs in IAM policies in the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html).
– Amazon RDS tags: You can use an ARN to tag your Amazon Relational Database Service (RDS) resources with key-value pairs that you can use for cost allocation, automation, or other purposes. For example, you can use an ARN to tag a DB instance with its environment name:
aws rds add-tags-to-resource \
--resource-name arn:aws:rds:us-east-1:123456789012:db:mysql-db \
--tags Key=Environment,Value=ProductionYou can find more information about how to use ARNs in Amazon RDS tags in the [Amazon RDS User Guide](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.ARN.html).
– API calls: You can use an ARN to identify a resource when you make an API call to an AWS service. For example, you can use an ARN to invoke a Lambda function:
aws lambda invoke \
--function-name arn:aws:lambda:us-east-1:123456789012:function:api-function \
--payload '{"name":"Alice"}' \
response.jsonYou can find more information about how to use ARNs in API calls in the [AWS API Reference](https://docs.aws.amazon.com/index.html).
Conclusion
ARNs are essential for working with AWS resources as they provide a consistent and unambiguous way to identify them across all of AWS. By understanding what ARNs are, how they are structured, how to find them, and how to use them, you can leverage them effectively in your AWS applications.