← All posts
2 min read

Understand IAM Resource ARNs

#aws#cli#iam#security#identity
📑 On this page

Part 106 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.

What we are learning

The Resource element scopes where an action can operate. Every AWS service defines which resource types each action supports.

Before you run it

aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"

IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.

The command

ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
printf '%s
' \
  "arn:aws:s3:::example-bucket" \
  "arn:aws:s3:::example-bucket/private/*" \
  "arn:aws:iam::$ACCOUNT_ID:role/aws-zero-demo-role" \
  "arn:aws:iam::$ACCOUNT_ID:policy/AwsZeroListBuckets"

S3 bucket ARNs omit account and Region; IAM ARNs include the account ID.

Inspect the result

aws iam get-role \
  --role-name "$ROLE_NAME" \
  --query "Role.Arn" \
  --output text

Read the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.

One tiny variation

aws iam get-policy \
  --policy-arn "arn:aws:iam::$ACCOUNT_ID:policy/AwsZeroListBuckets" \
  --query "Policy.Arn" \
  --output text

Let AWS return canonical ARNs when possible instead of assembling them from memory.

Common mistake

A wildcard resource is not always avoidable, but it should be justified action by action. Some list or identity APIs do not support resource-level scoping.

Cleanup

# This lesson is read-only or reuses a named demo identity.
aws sts get-caller-identity

Keep shared demo identities only while following the IAM sequence. Part 125 removes them in dependency order.

Next, we will learn Restrict an IAM policy by source IP.

Official AWS CLI reference