In this blog, I talk about concepts, tips, and tricks related to AWS arn. I will also talk about how to create arn URLs for a specific AWS resource.

I have also added all the important links to AWS resources to build the ARNs you need quickly.

What is ARN in AWS?

Amazon Resource Names (ARNs) are uniques identifiers assigned to individual resources. It can be an ec2 instance, EBS Volumes, S3 bucket, load balancers, VPCs, route tables, etc.

An ARN looks like the following for an ec2 instance.

arn:aws:ec2:us-east-1:4575734578134:instance/i-054dsfg34gdsfg38

Why are ARNs Important?

ARNs are very important when it comes to IAM policies. You will end up using ARNs if you following the standard best practices for IAM roles and policies.

ARNs has the following key use cases.

  1. They are used in IAM policies for granting restricted granular access to resources. One example is to allow a specific IAM user to access only specific ec2 instances.
  2. It can be used in automation scripts and API calls to refer to other resources.

If you did not understand the above points, don’t worry, we will look at those with practical examples in the following topics.

AWS ARN format

In most cases, you can build the ARN URL yourself following the below format.

arn:aws:service:region:account-id:resource-id
arn:aws:service:region:account-id:resource-type/resource-id
arn:aws:service:region:account-id:resource-type:resource-id

In the above formats, towards the end, you can see the difference in the formats which changes as per the resource types.

Here are the arn examples for all the three formats.

S3 ARN: Where you have a flat hierarchy of buckets and associated objects

arn:aws:s3:::devopscube-bucket

EC2 ARN: ec2 service has sub resource-types like image, security groups etc. The following example uses the instance resource-type.

arn:aws:ec2:us-east-1:4575734578134:instance/i-054dsfg34gdsfg38

Lambda ARN: Where you have functions with versions. Here the version is the qualifier.

arn:aws:lambda:us-east-1:4575734578134:function:api-fucntion:1

How to get the ARNs of AWS resources?

If you are getting started with AWS, you may find it difficult to put together the correct arn URL for a resource.

You can find the syntax for ARNs for all the AWS services here.

For example, if you go ec2 resource from the list, and scroll down to the “Resource Types Defined by Amazon EC2” section, you will find the reference for all the sub rsource types for ec2 as shown below.

aws arn reference document

Another way is to use the aws policy generator.

In the policy generator, when you select the policy resource, it will automatically show the arn suggestion as shown below. You just need to add resource information.

arn policy generator min

ARN Wildcards

ARN definition supports wildcards. You will need wildcard in many use cases.

Let say you want a IAM policy which allows access to all objects in a single bucket. For this you can have a wildcard arn like below.

arn:aws:s3:::my-data-bucket/*

Here is an example of using wildcard arn in an IAM policy. This policy allows all actions for dcubebucket S3 bucket.

{
	"Version": "2012-10-17",
	"Statement": [{
		"Sid": "Stmt1596173683332",
		"Action": "s3:*",
		"Effect": "Allow",
		"Resource": [
			"arn:aws:s3:::dcubebucket",
			"arn:aws:s3:::dcubebucket/*"
		]
	}]
}

Here is another example policy which allows limted access to all emr clusters.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1596174145144",
      "Action": [
        "elasticmapreduce:AddInstanceFleet",
        "elasticmapreduce:AddTags",
        "elasticmapreduce:DescribeCluster",
        "elasticmapreduce:DescribeEditor",
        "elasticmapreduce:DescribeJobFlows",
        "elasticmapreduce:DescribeSecurityConfiguration"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:elasticmapreduce:*:*:cluster/*"
    }
  ]
}

Getting ARN from AWS CLI

You can get the ARNs of specific resources from the CLI.

For all IAM roles, policies and users, you can get the ARN from the CLI by describing it.

Here is an example of getting arn of a role.

aws iam get-role --role-name EMR_DefaultRole

Here is output with the arn.

aws arn cli min

Like this you can try describing the resource and see if it outputs the arn.

Getting ARN from AWS Console

You can get the arn of IAM resources directly from AWS console.

Just browse to the specific resource and you will find the related arn at the top as shown below.

iam arm console min

Getting ARN as Output in Cloudformation

If you are using Cloudformation, you can get the resource arn in the output with the function Fn::GetAtt

Here is an example syntax of getting getting the arn of a Lambda function.

resources:
  Outputs:
    LamdaFunctionArn:
      Export:
        Name: MyFucntionARN
      Value:
        Fn::GetAtt: MyLambdaFunction.Arn

Wrapping Up

I have added some of the resources and tricks I use for aws arn.

I would like to hear from you.

Please let me some scenarios you have come across in the comments section.

aws arn explained