Breaking Down the ARN Structure
Every AWS ARN follows a strict, predictable format: arn:partition:service:region:account-id:resource. While simple in theory, real-world variations make parsing complex. This guide dissects each segment with clarity and precision.
The 6 Core Components
Let’s examine a typical EC2 ARN:
arn:aws:ec2:us-east-1:123456789012:instance/i-0abcd1234efgh56781. Partition (aws)
The AWS partition. Common values:
aws– Standard global regionsaws-cn– China (Beijing and Ningxia)aws-us-gov– AWS GovCloudaws-iso– Isolated regions (e.g., C2S)
2. Service (ec2)
The AWS service name. Over 200 exist, including s3, lambda, iam, dynamodb, etc. Always lowercase, no hyphens.
3. Region (us-east-1)
Optional for global services (S3, IAM). Required for regional ones (EC2, RDS). Empty string allowed in some S3 ARNs.
4. Account ID (123456789012)
Your 12-digit AWS account. Omitted in some S3 and IAM ARNs. Never includes hyphens.
5. Resource (instance/i-0abcd1234efgh5678)
The most variable part. May include:
type/id– e.g.,instance/i-abc123path/to/resource– e.g.,object/key/name.txt- Qualifiers – e.g.,
function:my-function:prod
Edge Cases & Variations
Not all ARNs fit the 6-part mold:
arn:aws:s3:::my-bucket → region and account omittedarn:aws:iam::123456789012:role/MyRole → region omittedarn:aws:execute-api:us-west-2:*:abc123/*/GET/pets → wildcards allowedFAQ
Why is the region sometimes empty?
Global services like S3 and IAM operate independently of region. The field is present but empty.
Can resource paths contain colons?
Yes. After the 5th colon, everything is part of the resource. Use :* in policies for wildcards.
Are ARNs URL-encoded?
No. Use them as-is in APIs and policies. Encoding breaks validation.
This parser handles all ARN variations — from simple S3 buckets to complex Lambda qualifiers — with 100% accuracy.