IAM identifiers - AWS Identity and Access Management (original) (raw)

IAM uses a few different identifiers for users, IAM groups, roles, policies, and server certificates. This section describes the identifiers and when you use each.

Friendly names and paths

When you create a user, a role, a user group, or a policy, or when you upload a server certificate, you give it a friendly name. Examples include Bob, TestApp1, Developers, ManageCredentialsPermissions, or ProdServerCert.

If you use the IAM API or AWS Command Line Interface (AWS CLI) to create IAM resources, you can add an optional path. You can use a single path, or nest multiple paths as a folder structure. For example, you could use the nested path /division_abc/subdivision_xyz/product_1234/engineering/ to match your company organizational structure. You could then create a policy to allow all users in that path to access the policy simulator API. To view this policy, see IAM: Access the policy simulator API based on user path. For information about how a friendly name can be specified, see the User API documentation. For additional examples of how you might use paths, see IAM ARNs.

When you use AWS CloudFormation to create resources, you can specify a path for users, IAM groups, and roles, and customer managed policies.

If you have a user and user group in the same path, IAM doesn't automatically put the user in that user group. For example, you might create a Developers user group and specify the path as /division_abc/subdivision_xyz/product_1234/engineering/. If you create a user named Bob and add the same path to him, this doesn't automatically put Bob in the Developers user group. IAM doesn't enforce any boundaries between users or IAM groups based on their paths. Users with different paths can use the same resources if they've been granted permission to those resources. The number and size of IAM resources in an AWS account are limited. For more information, see IAM and AWS STS quotas.

IAM ARNs

Most resources have a friendly name for example, a user named Bob or a user group named Developers. However, the permissions policy language requires you to specify the resource or resources using the following Amazon Resource Name (ARN) format.

arn:partition:service:region:account:resource

Where:

partition identifies the partition for the resource. For standard AWS Regions, the partition is aws. If you have resources in other partitions, the partition is aws-`partitionname`. For example, the partition for resources in the China (Beijing) Region is aws-cn. You cannot delegate access between accounts in different partitions.
service identifies the AWS product. IAM resources always useiam.
region identifies the Region of the resource. For IAM resources, this is always kept blank.
account specifies the AWS account ID with no hyphens.
resource identifies the specific resource by name.

You can specify IAM and AWS STS ARNs using the following syntax. The Region portion of the ARN is blank because IAM resources are global.

Syntax:

arn:aws:iam::account:root  
arn:aws:iam::account:user/user-name-with-path
arn:aws:iam::account:group/group-name-with-path
arn:aws:iam::account:role/role-name-with-path
arn:aws:iam::account:policy/policy-name-with-path
arn:aws:iam::account:instance-profile/instance-profile-name-with-path
arn:aws:sts::account:federated-user/user-name
arn:aws:sts::account:assumed-role/role-name/role-session-name
arn:aws:sts::account:self
arn:aws:iam::account:mfa/virtual-device-name-with-path
arn:aws:iam::account:u2f/u2f-token-id
arn:aws:iam::account:server-certificate/certificate-name-with-path
arn:aws:iam::account:saml-provider/provider-name
arn:aws:iam::account:oidc-provider/provider-name

Many of the following examples include paths in the resource part of the ARN. Paths cannot be created or manipulated in the AWS Management Console. To use paths, you must work with the resource by using the AWS API, the AWS CLI, or the Tools for Windows PowerShell.

Examples:

arn:aws:iam::123456789012:root
arn:aws:iam::123456789012:user/JohnDoe
arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/JaneDoe
arn:aws:iam::123456789012:group/Developers
arn:aws:iam::123456789012:group/division_abc/subdivision_xyz/product_A/Developers
arn:aws:iam::123456789012:role/S3Access
arn:aws:iam::123456789012:role/application_abc/component_xyz/RDSAccess
arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer
arn:aws:iam::123456789012:role/service-role/QuickSightAction
arn:aws:iam::123456789012:policy/UsersManageOwnCredentials
arn:aws:iam::123456789012:policy/division_abc/subdivision_xyz/UsersManageOwnCredentials
arn:aws:iam::123456789012:instance-profile/Webserver
arn:aws:sts::123456789012:federated-user/JohnDoe
arn:aws:sts::123456789012:assumed-role/Accounting-Role/JaneDoe
arn:aws:sts::123456789012:self
arn:aws:iam::123456789012:mfa/JaneDoeMFA
arn:aws:iam::123456789012:u2f/user/JohnDoe/default (U2F security key)
arn:aws:iam::123456789012:server-certificate/ProdServerCert
arn:aws:iam::123456789012:server-certificate/division_abc/subdivision_xyz/ProdServerCert
arn:aws:iam::123456789012:saml-provider/ADFSProvider
arn:aws:iam::123456789012:oidc-provider/GoogleProvider
arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/a1b2c3d4567890abcdefEXAMPLE11111
arn:aws:iam::123456789012:oidc-provider/server.example.org

The following examples provide more detail to help you understand the ARN format for different types of IAM and AWS STS resources.

An IAM user in the account:

Note

Each IAM user name is unique. The user name is case-insensitive for the user, such as during the sign in process, but is case-sensitive when you use it in a policy or as part of an ARN.

arn:aws:iam::123456789012:user/JohnDoe

Another user with a path reflecting an organization chart:

arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/JaneDoe

An IAM user group:

arn:aws:iam::123456789012:group/Developers

An IAM user group with a path:

arn:aws:iam::123456789012:group/division_abc/subdivision_xyz/product_A/Developers

An IAM role:

arn:aws:iam::123456789012:role/S3Access

A service-linked role:

arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer

A service role:

arn:aws:iam::123456789012:role/service-role/QuickSightAction

A managed policy:

arn:aws:iam::123456789012:policy/ManageCredentialsPermissions

An instance profile that can be associated with an Amazon EC2 instance:

arn:aws:iam::123456789012:instance-profile/Webserver

A federated user identified in IAM as "Paulo":

arn:aws:sts::123456789012:federated-user/Paulo

The active session of someone assuming the role of "Accounting-Role", with a role session name of "Mary":

arn:aws:sts::123456789012:assumed-role/Accounting-Role/Mary

Represents the caller's own session when used as a resource in an API call, such as the AWS STS SetContext API, that operates on the calling session:

arn:aws:sts::123456789012:self

The multi-factor authentication device assigned to the user named Jorge:

arn:aws:iam::123456789012:mfa/Jorge

A server certificate:

arn:aws:iam::123456789012:server-certificate/ProdServerCert

A server certificate with a path that reflects an organization chart:

arn:aws:iam::123456789012:server-certificate/division_abc/subdivision_xyz/ProdServerCert

Identity providers (SAML and OIDC):

arn:aws:iam::123456789012:saml-provider/ADFSProvider  
arn:aws:iam::123456789012:oidc-provider/GoogleProvider  
arn:aws:iam::123456789012:oidc-provider/server.example.org

OIDC identity provider with a path that reflects an Amazon EKS OIDC identity provider URL:

arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/a1b2c3d4567890abcdefEXAMPLE11111

Another important ARN is the root user ARN. Although this is not an IAM resource, you should be familiar with the format of this ARN. It is often used in the Principal element of a resource-based policy.

The AWS account displays the following:

arn:aws:iam::123456789012:root

The following example shows a policy you could assign to Richard to allow him to manage his access keys. Notice that the resource is the IAM user Richard.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ManageRichardAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:*AccessKey*",
                "iam:GetUser"
            ],
            "Resource": "arn:aws:iam::*:user/division_abc/subdivision_xyz/Richard"
        },
        {
            "Sid": "ListForConsole",
            "Effect": "Allow",
            "Action": "iam:ListUsers",
            "Resource": "*"
        }
    ]
}

Note

When you use ARNs to identify resources in an IAM policy, you can include_policy variables_. Policy variables can include placeholders for runtime information (such as the user's name) as part of the ARN. For more information, seeIAM policy elements: Variables and tags

Using wildcards and paths in ARNs

You can use wildcards in the resource portion of the ARN to specify multiple users or IAM groups or policies. For example, to specify all users working on product_1234, you use:

arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/product_1234/*

If you have users whose names start with the string app_, you could refer to them all with the following ARN.

arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/product_1234/app_*

To specify all users, IAM groups, or policies in your AWS account, use a wildcard after the user/, group/, or policy/ part of the ARN, respectively.

arn:aws:iam::123456789012:user/*
arn:aws:iam::123456789012:group/*
arn:aws:iam::123456789012:policy/*

If you specify the following ARN for a userarn:aws:iam::111122223333:user/* it matches both of the following examples.

arn:aws:iam::111122223333:user/JohnDoe
arn:aws:iam::111122223333:user/division_abc/subdivision_xyz/JaneDoe

But, if you specify the following ARN for a userarn:aws:iam::111122223333:user/division_abc* it matches the second example, but not the first.

arn:aws:iam::111122223333:user/JohnDoe
arn:aws:iam::111122223333:user/division_abc/subdivision_xyz/JaneDoe

Don't use a wildcard in the user/, group/, orpolicy/ part of the ARN. For example, IAM does not allow the following:

arn:aws:iam::123456789012:u*

Example use of paths and ARNs for a project-based user group

Paths cannot be created or manipulated in the AWS Management Console. To use paths you must work with the resource by using the AWS API, the AWS CLI, or the Tools for Windows PowerShell.

In this example, Jules in the Marketing_Admin user group creates a project-based user group within the /marketing/ path. Jules assigns users from different parts of the company to the user group. This example illustrates that a user's path isn't related to the user groups the user is in.

The marketing group has a new product they'll be launching, so Jules creates a new user group in the /marketing/ path called Widget_Launch. Jules then assigns the following policy to the user group, which gives the user group access to objects in the part of theexample_bucket that is designated to this particular launch.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example_bucket/marketing/newproductlaunch/widget/*"
    },
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket*",
      "Resource": "arn:aws:s3:::example_bucket",
      "Condition": {"StringLike": {"s3:prefix": "marketing/newproductlaunch/widget/*"}}
    }
  ]
}

Jules then assigns the users who are working on this launch to the user group. This includes Patricia and Eli from the /marketing/ path. It also includes Chris and Chloe from the /sales/ path, and Alice and Jim from the /legal/ path.

Unique identifiers

When IAM creates a user, user group, role, policy, instance profile, or server certificate, it assigns a unique ID to each resource. The unique ID looks like this:

AIDAJQABLZS4A3QDU576Q

For the most part, you use friendly names and ARNs when you work with IAM resources. That way you don't need to know the unique ID for a specific resource. However, the unique ID can sometimes be useful when it isn't practical to use friendly names.

One example reuses friendly names in your AWS account. Within your account, a friendly name for a user, user group, role, or policy must be unique. For example, you might create an IAM user named John. Your company uses Amazon S3 and has a bucket with folders for each employee. IAM user John is a member of an IAM user group named User-S3-Access with permissions that allows users access only to their own folders in the bucket. For an example of how you might create an identity-based policy that allows IAM users to access their own bucket object in S3 using the friendly name of users, see Amazon S3: Allows IAM users access to their S3 home directory, programmatically and in the console.

Suppose that the employee named John leaves your company and you delete the corresponding IAM user named John. But later another employee named John starts, and you create a new IAM user named John. You add the new IAM user named John to the existing IAM user group User-S3-Access. If the policy associated to the user group specifies the friendly IAM user name John, the policy allows the new John to access information that was left by the former John.

In general, we recommend that you specify the ARN for the resource in your policies instead of its unique ID. However, every IAM user has a unique ID, even if you create a new IAM user that reuses a friendly name you deleted before. In the example, the old IAM userJohn and the new IAM user John have different unique IDs. You can create resource-based policies that grant access by unique ID and not just by user name. Doing so reduces the chance that you could inadvertently grant access to information that an employee should not have.

The following example shows how you might specify unique IDs in the Principal element of a resource-based policy.

"Principal": {
  "AWS": [
    "arn:aws:iam::111122223333:role/role-name",
    "AIDACKCEVSQ6C2EXAMPLE",
    "AROADBQP57FF2AEXAMPLE"
  }

The following example shows how you might specify unique IDs in the Condition element of a policy using global condition key aws:userid.

"Condition": {
    "StringLike": {
      "aws:userId": [
        "AIDACKCEVSQ6C2EXAMPLE",
        "AROADBQP57FF2AEXAMPLE:role-session-name",
        "AROA1234567890EXAMPLE:*",
        "111122223333"
      ]
    }
  }

Another example where user IDs can be useful is if you maintain your own database (or other store) of IAM user or role information. The unique ID can provide a unique identifier for each IAM user or role you create. This is the case when you have IAM users or roles that reuse a name, as in the previous example.

Understanding unique ID prefixes

IAM uses the following prefixes to indicate what type of resource each unique ID applies to. Prefixes may vary based on when they were created.

Prefix	Resource type
ABIA	AWS STS service bearer token
ACCA	Context-specific credential
AGPA	User group
AIDA	IAM user
AIPA	Amazon EC2 instance profile
AKIA	Access key
ANPA	Managed policy
ANVA	Version in a managed policy
APKA	Public key
AROA	Role
ASCA	Certificate
ASIA	Temporary (AWS STS) access key IDs use this prefix, but are unique only in combination with the secret access key and the session token.

Getting the unique identifier

The unique ID for an IAM resource is not available in the IAM console. To get the unique ID, you can use the following AWS CLI commands or IAM API calls.

AWS CLI:

IAM API: