An Amazon Resource Name (ARN) uniquely identifies a thing in AWS. This is a quick recap on how they are structured.
ARNs have the following formats, with values separated by colons and forward-slashes.
arn::s3:::my_bucket (s3 bucket, named my_bucket) arn::iam::123456789012:user/JohnDoe (user JohnDoe, in account 123456789012)
You can omit parts of an ARN between colons, and AWS will infer the missing value for you.
For example, if you do not specify
account-id, AWS infers that you mean 'the current account-id'. As such, put nothing between the colons where
A usual part to omit from an ARN is
Valid partition values are:
- aws (the default)
- aws-cn (AWS for China)
- aws-us-gov (AWS for the US government)
Another example occurs when dealing with 'global' AWS services, such as S3.
S3 ARNs cannot have regions in them, as S3 doesn't expose regions to the user. This is why S3 Bucket Names are globally unique.
For example, some usual S3 ARNs, with values for region and account-id omitted: