ARN Formats
ARNs are delimited by colons, and composed of segments, which are the
parts separated by colons (:). The specific components and values used
in the segments of an ARN depend on which AWS service the ARN is for. The following
example shows how ARNs are constructed.
arn:partition:service:region:account-id:resource-idarn:partition:service:region:account-id:resource-type/resource-idarn:partition:service:region:account-id:resource-type:resource-id
These ARNs contain the following segments:
partitionaws. If you have resources in other partitions, the
partition is aws-partitionname. For example, the
partition for resources in the China (Beijing) Region is aws-cn.
servicequicksight identifies Amazon QuickSight, s3 identifies Amazon S3,
iam identifies IAM, and so on.
region
account-id
arn:aws:s3:::bucket_namearn:aws:s3:::bucket_name/key_name
resourceresource-typeuser/Bob or
instance/i-1234567890abcdef0) or a resource path. For example, some
resource identifiers include a parent resource (
sub-resource-type/parent-resource/sub-resourceresource-type:resource-name:qualifier).
Some resource ARNs can include a path, a variable, or a wildcard.
You can use wildcard characters (* and ?) within any ARN segment
. An asterisk (*) represents any combination of zero or more
characters, and a question mark (?) represents any single character.
You can use multiple * or ? characters in each segment. If you are using the ARN for permissions, avoid using *
wildcards if possible, to limit access to only the required elements. Following are
some examples of using paths, wildcards, and variables.
For the following example, we use an S3 ARN. You might use this when you give permissions to S3 in an IAMpolicy. This S3 ARN shows a path and file are specified.
Note
The term key name is used to describe what looks like a path and file
after bucketname/. These are called key names because a bucket
doesn't actually contain folder structures like those used in your computer's
file system. Instead the slash (/) is a delimiter that helps to
make the organization of the bucket more intuitive. In this case, the bucket
name is examplebucket, and the key name is
developers/design_info.doc.
arn:aws:s3:::examplebucket/my-data/sales-export-2019-q4.json
If you want to identify all the objects in the bucket, you can use a wildcard to indicate that all key names (or paths and files) are included in the ARN, as follows.
arn:aws:s3:::examplebucket/*
You can use part of a key name plus the wildcard to identify all the objects that begin
with a specific pattern. In this case, it resembles a folder name plus a wildcard,
as shown following. However, this ARN also includes any "subfolders" inside of
my-data.
arn:aws:s3:::examplebucket/my-data/*
You can specify a partial name by adding a wildcard. This one identifies any objects
beginning with my-data/sales-export*.
arn:aws:s3:::examplebucket/my-data/sales-export*
In this case, specifying using this wildcard includes the objects with names like the following:
-
my-data/sales-export-1.xlsx -
my-data/sales-export-new.txt -
my-data/sales-export-2019/file1.txt
You can use wildcards of both types (asterisks and question marks) in combination or separately, as shown following.
arn:aws:s3:::examplebucket/my-data/sales-export-2019-q?.*arn:aws:s3:::examplebucket/my-data/sales-export-20??-q?.*
Or, if you want to future-proof the ARN, you can replace the entire year with a wildcard, rather than just using wildcards for the last two digits.
arn:aws:s3:::examplebucket/my-data/sales-export-????-q?.*arn:aws:s3:::examplebucket/my-data/sales-export-*-q?.*
To read more about S3 ARNs, see Specifying Resources in a Policy and Object Key and Metadata in the Amazon Simple Storage Service User Guide.
