Finding an Object's Amazon Resource Name

The thing that makes using an ARN so tricky is that even though every AWS object has an ARN, Amazon may not tell you what that ARN is.

When you create an object in AWS, you are usually prompted to assign a name to that object. The name that you assign acts as a friendly name, making it easier to tell one object from another. In many cases, you can reference an object either by its name or by an ID number that Amazon automatically assigns to the object. Sometimes however, Amazon requires you to identify an object by its Amazon Resource Name, or ARN. This is particularly true when creating an IAM policy, but that isn't the only time when using an object's ARN is required.

An Amazon Reference Name is a special identifier that uniquely describes an object across the entire Amazon cloud. This name describes the object's owner (the account within which the object exists), the region, the object type and more.

The thing that makes using an ARN so tricky is that even though every AWS object has an ARN, Amazon may not tell you what that ARN is. If you look at an EC2 instance's properties for example, you will find its instance ID, VPC ID, Subnet ID, Host ID and more, but you won't find the instance's ARN. You can see the information that is displayed for a virtual machine instance in Figure 1.

 Figure 1: This is what an EC2 instance's summary screen looks like.
[Click on image for larger view.] Figure 1: This is what an EC2 instance's summary screen looks like.

So if Amazon doesn't list the ARN for a particular object, where can you find it? Although Amazon might not explicitly tell you what an object's ARN is, you can derive the ARN for any AWS object. The trick is to know how the ARN is constructed.

An ARN generally adheres to one of three formats including:

arn:partition:service:region:account-id:resource-id
arn:partition:service:region:account-id:resource-type/resource-id
arn:partition:service:region:account-id:resource-type:resource-id

Depending on the resource type, there might not always be an account ID or a region associated with the ARN, hence the reason why there are three different formats.

The first thing that you will have to determine is the partition name. In most cases, the partition name will simply be aws (in lower case). However, resources in China use aws-cn and resources owned by the United States government usually have a partition name of aws-us-gov.

The next thing that you will need to know is the name of the service that is associated with the instance. However, you can't use the actual service name. You must instead enter the Service Prefix. The easiest way to find the prefix for a service is to go to Actions, resources, and condition keys for AWS services and then click on the service that you are interested in.

Once you have determined the service prefix, the next thing that you will usually need to know is the region code for the region where the object exists. You can usually get the region code through the GUI, but if you need help, you can consult a full list of region codes.

There are two more pieces of information that you will need in order to formulate an ARN. First, you will need the ID of the account that owns the resource. The other thing that you will need is the object's resource identifier. Every AWS resource has an identifier, but the resource identifier's format can vary considerably based on the object type. What tends to make finding the resource identifier especially tricky is that its name varies by service. In the case of an EC2 virtual machine instance for example, the Instance ID acts as the resource identifier.

So with that said, let's take a look at what an ARN looks like. Suppose for a moment that we wanted to create an ARN for the virtual machine instance shown in the figure above. Here is the information for that instance:

Partition: aws
Service Prefix: ec2
Region: us-west-2
Account ID: 12345 (this is obviously not my real account ID)
Resource ID: i-060d319e74305c009

With that in mind, here is what an ARN might look like:

arn:aws:ec2:us-west-2:12345:instance/ i-060d319e74305c009

The first thing that you will probably notice is that the ARN is colon delimited, meaning that colons separate the various pieces of information. Another thing that you will probably notice was that I inserted the word "instance" in front of the EC2 instance ID. The reason for this is that some services require you to enter the resource type along with the resource identifier. In the case of an EC2 instance, the resource type and the resource identifier are separated by a slash, but some services use a colon instead.

It is also worth noting that some of the examples that Amazon provides in its documentation don't look all that similar to the example that I have given above. You might see multiple colons grouped together in situations where it is unnecessary to provide certain pieces of information. Amazon also sometimes uses wildcard characters to designate that the ARN applies to multiple objects. An ARN pointing to all of the files in a particular S3 bucket for example, would include the bucket name followed by a slash and a wildcard character (an asterisk). You can consult Amazon's full documentation on ARN naming conventions for more.

About the Author

Brien Posey is a 20-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.

Featured