What is an ARN
An important concept in IAM is the ARN.
Here is the official definition:
Amazon Resource Names (ARNs) uniquely identify AWS resources. We require an ARN when you need to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls.
ARN is really just a globally unique identifier for an individual AWS resource. It takes one of the following formats.
arn:partition:service:region:account-id:resource
arn:partition:service:region:account-id:resourcetype/resource
arn:partition:service:region:account-id:resourcetype:resource
Let’s look at some examples of ARN. Note the different formats used.
<!-- Elastic Beanstalk application version -->
arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/MyEnvironment
<!-- IAM user name -->
arn:aws:iam::123456789012:user/David
<!-- Amazon RDS instance used for tagging -->
arn:aws:rds:eu-west-1:123456789012:db:mysql-db
<!-- Object in an Amazon S3 bucket -->
arn:aws:s3:::my_corporate_bucket/exampleobject.png
Finally, let’s look at the common use cases for ARN.
-
Communication
ARN is used to reference a specific resource when you orchestrate a system involving multiple AWS resources. For example, you have an API Gateway listening for RESTful APIs and invoking the corresponding Lambda function based on the API path and request method. The routing looks like the following.
GET /hello_world => arn:aws:lambda:us-east-1:123456789012:function:lambda-hello-world
-
IAM Policy
We had looked at this in detail in the last chapter but here is an example of a policy definition.
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::Hello-bucket/*" }
ARN is used to define which resource (S3 bucket in this case) the access is granted for. The wildcard
*
character is used here to match all resources inside the Hello-bucket.
Next, you can learn more about AWS AppSync.
For help and discussion
Comments on this chapter