IAM identifiers
IAM uses a few different identifiers for users, IAM groups, roles, policies, and server certificates. This section describes the identifiers and when you use each.
Friendly names and paths
When you create a user, a role, a user group, or a policy, or when you upload a server certificate, you give it a friendly name. Examples include Bob, TestApp1, Developers, ManageCredentialsPermissions, or ProdServerCert.
If you use the IAM API or AWS Command Line Interface (AWS CLI) to create IAM resources, you can add an
optional path. You can use a single path, or nest multiple paths as a folder structure. For
example, you could use the nested path /division_abc/subdivision_xyz/product_1234/engineering/
to
match your company organizational structure. You could then create a policy to allow all users
in that path to access the policy simulator API. To view this policy, see IAM: Access the policy
simulator API based on user path. For information about how
a friendly name can be specified, see the User API
documentation. For additional examples of how you might use paths, see IAM ARNs.
When you use AWS CloudFormation to create resources, you can specify a path for users, IAM groups, and roles, and customer managed policies.
If you have a user and user group in the same path, IAM doesn't automatically put the
user in that user group. For example, you might create a Developers user group and specify the
path as /division_abc/subdivision_xyz/product_1234/engineering/
. If you create a user named Bob
and add the same path to him, this doesn't automatically put Bob in the Developers user group.
IAM doesn't enforce any boundaries between users or IAM groups based on their paths.
Users with different paths can use the same resources if they've been granted permission to
those resources. The number and size of IAM resources in an AWS account are limited. For more information, see IAM and AWS STS quotas.
IAM ARNs
Most resources have a friendly name for example, a user named Bob
or a user
group named Developers
. However, the permissions policy language requires you to
specify the resource or resources using the following Amazon Resource Name
(ARN) format.
arn:partition
:service
:region
:account
:resource
Where:
-
partition
identifies the partition for the resource. For standard AWS Regions, the partition isaws
. If you have resources in other partitions, the partition isaws-
. For example, the partition for resources in the China (Beijing) Region ispartitionname
aws-cn
. You cannot delegate access between accounts in different partitions. -
service
identifies the AWS product. IAM resources always useiam
. -
region
identifies the Region of the resource. For IAM resources, this is always kept blank. -
account
specifies the AWS account ID with no hyphens. -
resource
identifies the specific resource by name.
You can specify IAM and AWS STS ARNs using the following syntax. The Region portion of the ARN is blank because IAM resources are global.
Syntax:
arn:aws:iam::
account
:root arn:aws:iam::account
:user/user-name-with-path
arn:aws:iam::account
:group/group-name-with-path
arn:aws:iam::account
:role/role-name-with-path
arn:aws:iam::account
:policy/policy-name-with-path
arn:aws:iam::account
:instance-profile/instance-profile-name-with-path
arn:aws:sts::account
:federated-user/user-name
arn:aws:sts::account
:assumed-role/role-name
/role-session-name
arn:aws:sts::account
:self arn:aws:iam::account
:mfa/virtual-device-name-with-path
arn:aws:iam::account
:u2f/u2f-token-id
arn:aws:iam::account
:server-certificate/certificate-name-with-path
arn:aws:iam::account
:saml-provider/provider-name
arn:aws:iam::account
:oidc-provider/provider-name
Many of the following examples include paths in the resource part of the ARN. Paths cannot be created or manipulated in the AWS Management Console. To use paths, you must work with the resource by using the AWS API, the AWS CLI, or the Tools for Windows PowerShell.
Examples:
arn:aws:iam::123456789012:root arn:aws:iam::123456789012:user/JohnDoe arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/JaneDoe arn:aws:iam::123456789012:group/Developers arn:aws:iam::123456789012:group/division_abc/subdivision_xyz/product_A/Developers arn:aws:iam::123456789012:role/S3Access arn:aws:iam::123456789012:role/application_abc/component_xyz/RDSAccess arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer arn:aws:iam::123456789012:role/service-role/QuickSightAction arn:aws:iam::123456789012:policy/UsersManageOwnCredentials arn:aws:iam::123456789012:policy/division_abc/subdivision_xyz/UsersManageOwnCredentials arn:aws:iam::123456789012:instance-profile/Webserver arn:aws:sts::123456789012:federated-user/JohnDoe arn:aws:sts::123456789012:assumed-role/Accounting-Role/JaneDoe arn:aws:sts::123456789012:self arn:aws:iam::123456789012:mfa/JaneDoeMFA arn:aws:iam::123456789012:u2f/user/JohnDoe/default (U2F security key) arn:aws:iam::123456789012:server-certificate/ProdServerCert arn:aws:iam::123456789012:server-certificate/division_abc/subdivision_xyz/ProdServerCert arn:aws:iam::123456789012:saml-provider/ADFSProvider arn:aws:iam::123456789012:oidc-provider/GoogleProvider arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/a1b2c3d4567890abcdefEXAMPLE11111 arn:aws:iam::123456789012:oidc-provider/server.example.org
The following examples provide more detail to help you understand the ARN format for different types of IAM and AWS STS resources.
-
An IAM user in the account:
Note
Each IAM user name is unique. The user name is case-insensitive for the user, such as during the sign in process, but is case-sensitive when you use it in a policy or as part of an ARN.
arn:aws:iam::123456789012:user/JohnDoe
-
Another user with a path reflecting an organization chart:
arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/JaneDoe
-
An IAM user group:
arn:aws:iam::123456789012:group/Developers
-
An IAM user group with a path:
arn:aws:iam::123456789012:group/division_abc/subdivision_xyz/product_A/Developers
-
An IAM role:
arn:aws:iam::123456789012:role/S3Access
-
arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer
-
A service role:
arn:aws:iam::123456789012:role/service-role/QuickSightAction
-
A managed policy:
arn:aws:iam::123456789012:policy/ManageCredentialsPermissions
-
An instance profile that can be associated with an Amazon EC2 instance:
arn:aws:iam::123456789012:instance-profile/Webserver
-
A federated user identified in IAM as "Paulo":
arn:aws:sts::123456789012:federated-user/Paulo
-
The active session of someone assuming the role of "Accounting-Role", with a role session name of "Mary":
arn:aws:sts::123456789012:assumed-role/Accounting-Role/Mary
-
Represents the caller's own session when used as a resource in an API call, such as the AWS STS SetContext API, that operates on the calling session:
arn:aws:sts::123456789012:self
-
The multi-factor authentication device assigned to the user named Jorge:
arn:aws:iam::123456789012:mfa/Jorge
-
A server certificate:
arn:aws:iam::123456789012:server-certificate/ProdServerCert
-
A server certificate with a path that reflects an organization chart:
arn:aws:iam::123456789012:server-certificate/division_abc/subdivision_xyz/ProdServerCert
-
Identity providers (SAML and OIDC):
arn:aws:iam::123456789012:saml-provider/ADFSProvider arn:aws:iam::123456789012:oidc-provider/GoogleProvider arn:aws:iam::123456789012:oidc-provider/server.example.org
-
OIDC identity provider with a path that reflects an Amazon EKS OIDC identity provider URL:
arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/a1b2c3d4567890abcdefEXAMPLE11111
Another important ARN is the root user ARN. Although this is not an IAM resource, you should be familiar with the format of this ARN. It is often used in the Principal element of a resource-based policy.
-
The AWS account displays the following:
arn:aws:iam::123456789012:root
The following example shows a policy you could assign to Richard to allow him to manage his access keys. Notice that the resource is the IAM user Richard.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ManageRichardAccessKeys", "Effect": "Allow", "Action": [ "iam:*AccessKey*", "iam:GetUser" ], "Resource": "arn:aws:iam::*:user/division_abc/subdivision_xyz/Richard" }, { "Sid": "ListForConsole", "Effect": "Allow", "Action": "iam:ListUsers", "Resource": "*" } ] }
Note
When you use ARNs to identify resources in an IAM policy, you can include policy variables. Policy variables can include placeholders for runtime information (such as the user's name) as part of the ARN. For more information, see IAM policy elements: Variables and tags
Using wildcards and paths in ARNs
You can use wildcards in the resource
portion of the ARN to
specify multiple users or IAM groups or policies. For example, to specify all users working
on product_1234, you use:
arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/product_1234/*
If you have users whose names start with the string app_
, you could refer
to them all with the following ARN.
arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/product_1234/app_*
To specify all users, IAM groups, or policies in your AWS account, use a wildcard
after the user/
, group/
, or policy/
part of the ARN,
respectively.
arn:aws:iam::123456789012:user/* arn:aws:iam::123456789012:group/* arn:aws:iam::123456789012:policy/*
If you specify the following ARN for a user
arn:aws:iam::111122223333:user/*
it matches both of the
following examples.
arn:aws:iam::111122223333:user/JohnDoe arn:aws:iam::111122223333:user/division_abc/subdivision_xyz/JaneDoe
But, if you specify the following ARN for a user
arn:aws:iam::111122223333:user/division_abc*
it matches the
second example, but not the first.
arn:aws:iam::111122223333:user/JohnDoe arn:aws:iam::111122223333:user/division_abc/subdivision_xyz/JaneDoe
Don't use a wildcard in the user/
, group/
, or
policy/
part of the ARN. For example, IAM does not allow the
following:
arn:aws:iam::123456789012:u*
Example use of paths and ARNs for a project-based user group
Paths cannot be created or manipulated in the AWS Management Console. To use paths you must work with the resource by using the AWS API, the AWS CLI, or the Tools for Windows PowerShell.
In this example, Jules in the Marketing_Admin user group creates a project-based user group within the /marketing/ path. Jules assigns users from different parts of the company to the user group. This example illustrates that a user's path isn't related to the user groups the user is in.
The marketing group has a new product they'll be launching, so Jules creates a new
user group in the /marketing/ path called Widget_Launch. Jules then assigns the following
policy to the user group, which gives the user group access to objects in the part of the
example_bucket
that is designated to this particular launch.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::example_bucket/marketing/newproductlaunch/widget/*" }, { "Effect": "Allow", "Action": "s3:ListBucket*", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"StringLike": {"s3:prefix": "marketing/newproductlaunch/widget/*"}} } ] }
Jules then assigns the users who are working on this launch to the user group. This includes Patricia and Eli from the /marketing/ path. It also includes Chris and Chloe from the /sales/ path, and Alice and Jim from the /legal/ path.
Unique identifiers
When IAM creates a user, user group, role, policy, instance profile, or server certificate, it assigns a unique ID to each resource. The unique ID looks like this:
AIDAJQABLZS4A3QDU576Q
For the most part, you use friendly names and ARNs when you work with IAM resources. That way you don't need to know the unique ID for a specific resource. However, the unique ID can sometimes be useful when it isn't practical to use friendly names.
One example reuses friendly names in your AWS account. Within your account, a friendly
name for a user, user group, role, or policy must be unique. For example, you might create an
IAM user named John
. Your company uses Amazon S3 and has a bucket with
folders for each employee. IAM user John
is a member of an IAM
user group named User-S3-Access
with permissions that allows users access only to
their own folders in the bucket. For an example of how you might create an identity-based
policy that allows IAM users to access their own bucket object in S3 using the friendly name
of users, see Amazon S3: Allows
IAM users access to their S3 home directory, programmatically and in the
console.
Suppose that the employee named John leaves your company and you delete the
corresponding IAM user named John
. But later another employee named
John starts, and you create a new IAM user named John
.
You add the new IAM user named John
to the existing IAM user
group User-S3-Access
. If the policy associated to the user group specifies the
friendly IAM user name John
, the policy allows the new
John to access information that was left by the former John.
In general, we recommend that you specify the ARN for the resource in your policies
instead of its unique ID. However, every IAM user has a unique ID, even if you create a new
IAM user that reuses a friendly name you deleted before. In the example, the old IAM user
John
and the new IAM user John
have
different unique IDs. You can create resource-based policies that grant access by unique ID
and not just by user name. Doing so reduces the chance that you could inadvertently grant
access to information that an employee should not have.
The following example shows how you might specify unique IDs in the Principal element of a resource-based policy.
"Principal": { "AWS": [ "arn:aws:iam::
111122223333
:role/role-name
", "AIDACKCEVSQ6C2EXAMPLE
", "AROADBQP57FF2AEXAMPLE
" }
The following example shows how you might specify unique IDs in the Condition element of a policy using global condition key aws:userid.
"Condition": { "StringLike": { "aws:userId": [ "
AIDACKCEVSQ6C2EXAMPLE
", "AROADBQP57FF2AEXAMPLE
:role-session-name
", "AROA1234567890EXAMPLE
:*
", "111122223333
" ] } }
Another example where user IDs can be useful is if you maintain your own database (or other store) of IAM user or role information. The unique ID can provide a unique identifier for each IAM user or role you create. This is the case when you have IAM users or roles that reuse a name, as in the previous example.
Understanding unique ID prefixes
IAM uses the following prefixes to indicate what type of resource each unique ID applies to. Prefixes may vary based on when they were created.
Prefix | Resource type |
---|---|
ABIA | AWS STS service bearer token |
ACCA | Context-specific credential |
AGPA |
User group |
AIDA |
IAM user |
AIPA | Amazon EC2 instance profile |
AKIA | Access key |
ANPA |
Managed policy |
ANVA |
Version in a managed policy |
APKA | Public key |
AROA | Role |
ASCA | Certificate |
ASIA |
Temporary (AWS STS) access key IDs use this prefix, but are unique only in combination with the secret access key and the session token. |
Getting the unique identifier
The unique ID for an IAM resource is not available in the IAM console. To get the unique ID, you can use the following AWS CLI commands or IAM API calls.
AWS CLI:
IAM API: