亚马逊资源名称 (ARN) 和 AWS 服务命名空间

亚马逊资源名称 (ARN) 和 AWS 服务命名空间

亚马逊资源名称 (ARN) 唯一标识 AWS 资源。当您需要在 AWS 全局环境中（比如在 IAM 策略、Amazon Relational Database Service (Amazon RDS) 标签和 API 调用中）明确指定一项资源时，我们要求使用 ARN。

Topics

ARN 格式
示例 ARN
ARN 中的路径
AWS 服务命名空间

ARN 格式

下面是一些示例 ARN：

<!-- Elastic Beanstalk application version -->

arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/MyEnvironment

arn:aws:iam::123456789012:user/David

arn:aws:rds:eu-west-1:001234567890:db:mysql-db

arn:aws:s3:::my_corporate_bucket/*

以下是 ARN 的一般格式；所用的具体组成部分和值取决于 AWS 服务。

arn:partition:service:region:account:resource
arn:partition:service:region:account:resourcetype/resource
arn:partition:service:region:account:resourcetype:resource

分区

资源所处的分区。对于标准 AWS 区域，分区是 aws。如果资源位于其他分区，则分区是 aws-partitionname。例如，位于中国（北京）区域的资源的分区为 aws-cn。

service

标识 AWS 产品（例如，Amazon S3、IAM 或 Amazon RDS）的服务命名空间。有关命名空间的列表，请参阅 AWS 服务命名空间。

区域

资源所在的区域。请注意，一些资源的 ARN 不需要区域，因此，该组成部分可能会被省略。

账户

拥有资源的 AWS 账户 ID 不含连字符。例如，123456789012。请注意，一些资源的 ARN 不需要账号，因此，该组成部分可能会被省略。

resource、resourcetype:resource 或 resourcetype/resource

ARN 这部分的内容因服务而异。它通常包括资源类型（例如，IAM 用户或 Amazon RDS 数据库）的指示符，后跟一个斜杠 [/] 或冒号 [:]，后跟资源名称本身。如 ARN 中的路径 中所述，一些服务允许为资源名称指定路径。

示例 ARN

以下部分针对不同的服务提供了 ARN 的语法和示例。有关在特定 AWS 服务中使用 ARN 的更多信息，请参阅针对该服务的文档。

Topics

Amazon CloudSearch
Amazon DynamoDB
Amazon ElastiCache
Amazon Elastic Compute Cloud (Amazon EC2)
Amazon EC2 Container Service (Amazon ECS)
Amazon Elastic Transcoder
Amazon Glacier
Amazon Machine Learning
Amazon Redshift
Amazon Relational Database Service (Amazon RDS)
Amazon Route 53
Amazon Simple Notification Service (Amazon SNS)
Amazon Simple Queue Service (Amazon SQS)
Amazon Simple Storage Service (Amazon S3)
Amazon Simple Workflow Service (Amazon SWF)
Auto Scaling
AWS CodeDeploy
AWS CloudFormation
Elastic Beanstalk
AWS Identity and Access Management (IAM)
AWS Storage Gateway
AWS Trusted Advisor
Elastic Load Balancing

Amazon CloudSearch

语法:

arn:aws:cloudsearch:region:account:domain/domainname

例如：

arn:aws:cloudsearch:us-east-1:123456789012:domain/imdb-movies

Amazon DynamoDB

语法:

arn:aws:dynamodb:region:account:table/tablename

例如：

arn:aws:dynamodb:us-east-1:123456789012:table/books_table

Amazon ElastiCache

语法:

arn:aws:elasticache:region:account:resourcetype:resourcename

例如：

arn:aws:elasticache:us-west-2:123456789012:cluster:myCluster
arn:aws:elasticache:us-west-2:123456789012:snapshot:mySnapshot

Amazon Elastic Compute Cloud (Amazon EC2)

语法:

arn:aws:ec2:region:account:customer-gateway/cgw-id
arn:aws:ec2:region:account:dhcp-options/dhcp-options-id
arn:aws:ec2:region::image/image-id
arn:aws:ec2:region:account:instance/instance-id
arn:aws:iam::account:instance-profile/instance-profile-name
arn:aws:ec2:region:account:internet-gateway/igw-id
arn:aws:ec2:region:account:key-pair/key-pair-name
arn:aws:ec2:region:account:network-acl/nacl-id
arn:aws:ec2:region:account:network-interface/eni-id
arn:aws:ec2:region:account:placement-group/placement-group-name
arn:aws:ec2:region:account:route-table/route-table-id
arn:aws:ec2:region:account:security-group/security-group-id
arn:aws:ec2:region::snapshot/snapshot-id
arn:aws:ec2:region:account:subnet/subnet-id
arn:aws:ec2:region:account:volume/volume-id
arn:aws:ec2:region:account:vpc/vpc-id
arn:aws:ec2:region:account:vpc-peering-connection/vpc-peering-connection-id

示例：

arn:aws:ec2:us-east-1::image/ami-1a2b3c4d
arn:aws:ec2:us-east-1:123456789012:instance/*
arn:aws:ec2:us-east-1:123456789012:volume/*
arn:aws:ec2:us-east-1:123456789012:volume/vol-1a2b3c4d

Amazon EC2 Container Service (Amazon ECS)

语法:

arn:aws:ecs:region:account:cluster/cluster-name
arn:aws:ecs:region:account:container-instance/container-instance-id
arn:aws:ecs:region:account:task-definition/task-definition-family-name:task-definition-revision-number
arn:aws:ecs:region:account:service/service-name
arn:aws:ecs:region:account:task/task-id
arn:aws:ecs:region:account:container/container-id

示例：

arn:aws:ecs:us-east-1:123456789012:cluster/my-cluster
arn:aws:ecs:us-east-1:123456789012:container-instance/403125b0-555c-4473-86b5-65982db28a6d
arn:aws:ecs:us-east-1:123456789012:task-definition/hello_world:8
arn:aws:ecs:us-east-1:123456789012:service/sample-webapp
arn:aws:ecs:us-east-1:123456789012:task/1abf0f6d-a411-4033-b8eb-a4eed3ad252a
arn:aws:ecs:us-east-1:123456789012:container/476e7c41-17f2-4c17-9d14-412566202c8a

Amazon Elastic Transcoder

语法:

arn:aws:elastictranscoder:region:account:resource/id

例如：

arn:aws:elastictranscoder:us-east-1:123456789012:preset/*

Amazon Glacier

语法:

arn:aws:glacier:region:account:vaults/vaultname

示例：

arn:aws:glacier:us-east-1:123456789012:vaults/examplevault
arn:aws:glacier:us-east-1:123456789012:vaults/example*
arn:aws:glacier:us-east-1:123456789012:vaults/*

Amazon Machine Learning

语法:

arn:aws:machinelearning:region:account:datasource/datasourceID
arn:aws:machinelearning:region:account:mlmodel/mlmodelID
arn:aws:machinelearning:region:account:batchprediction/batchpredictionlID
arn:aws:machinelearning:region:account:evaluation/evaluationID

示例：

arn:aws:machinelearning:us-west-2:123456789012:datasource/my-datasource-1
arn:aws:machinelearning:us-west-2:123456789012:mlmodel/my-mlmodel
arn:aws:machinelearning:us-west-2:123456789012:batchprediction/my-batchprediction
arn:aws:machinelearning:us-west-2:123456789012:evaluation/my-evaluation

Amazon Redshift

语法:

arn:aws:redshift:region:account:cluster:clustername
arn:aws:redshift:region:account:parametergroup:parametergroupname
arn:aws:redshift:region:account:securitygroup:securitygroupname
arn:aws:redshift:region:account:snapshot:clustername/snapshotname
arn:aws:redshift:region:account:subnetgroup:subnetgroupname

示例：

arn:aws:redshift:us-east-1:123456789012:cluster:my-cluster
arn:aws:redshift:us-east-1:123456789012:parametergroup:my-parameter-group
arn:aws:redshift:us-east-1:123456789012:securitygroup:my-public-group
arn:aws:redshift:us-east-1:123456789012:snapshot:my-cluster/my-snapshot20130807
arn:aws:redshift:us-east-1:123456789012:subnetgroup:my-subnet-10

Amazon Relational Database Service (Amazon RDS)

仅在数据库实例具有标签时，才能在 Amazon RDS 中使用 ARN。有关更多信息，请参阅 Amazon Relational Database Service 用户指南 中的为数据库实例添加标签。

语法:

arn:aws:service:region:account:db:databasename
arn:aws:service:region:account:snapshot:snapshotname

示例：

arn:aws:rds:eu-west-1:123456789012:db:mysql-db
arn:aws:rds:us-east-1:123456789012:snapshot:my-snapshot2

Amazon Route 53

语法:

arn:aws:route53:::hostedzone/zoneid
arn:aws:route53:::change/changeid

请注意，Amazon Route 53 的 ARN 不需要账号或区域。

示例：

arn:aws:route53:::hostedzone/Z148QEXAMPLE8V
arn:aws:route53:::change/C2RDJ5EXAMPLE2
arn:aws:route53:::change/*

Amazon Simple Notification Service (Amazon SNS)

语法:

arn:aws:sns:region:account:topicname
arn:aws:sns:region:account:topicname:subscriptionid

示例：

arn:aws:sns:*:123456789012:my_corporate_topic
arn:aws:sns:us-east-1:123456789012:my_corporate_topic:02034b43-fefa-4e07-a5eb-3be56f8c54ce

Amazon Simple Queue Service (Amazon SQS)

语法:

arn:aws:sqs:region:account:queuename

例如：

arn:aws:sqs:us-east-1:123456789012:queue1

Amazon Simple Storage Service (Amazon S3)

语法:

arn:aws:s3:::bucketname
arn:aws:s3:::bucketname/objectpath

请注意，Amazon S3 的 ARN 不需要账号或区域。

示例：

arn:aws:s3:::my_corporate_bucket
arn:aws:s3:::my_corporate_bucket/*
arn:aws:s3:::my_corporate_bucket/Development/*

Amazon Simple Workflow Service (Amazon SWF)

语法:

arn:aws:swf:region:account:/domain/domain_name

示例：

arn:aws:swf:us-east-1:123456789012:/domain/department1
arn:aws:swf::123456789012:/domain/

Auto Scaling

语法:

arn:aws:autoscaling:region:account:scalingPolicy:policyid:autoScalingGroupName/groupfriendlyname:policyname/policyfriendlyname
arn:aws:autoscaling:region:account:autoScalingGroup:groupid:autoScalingGroupName/groupfriendlyname

例如：

arn:aws:autoscaling:us-east-1:123456789012:scalingPolicy:c7a27f55-d35e-4153-b044-8ca9155fc467:autoScalingGroupName/my-test-asg1:policyName/my-scaleout-policy

AWS CodeDeploy

语法:

arn:aws:codedeploy:region:account:resource-type:resource-specifier
arn:aws:codedeploy:region:account:resource-type/resource-specifier

例如：

arn:aws:codedeploy:us-east-1:123456789012:application:WordPress_App
arn:aws:codedeploy:us-east-1:123456789012:instance/AssetTag*

AWS CloudFormation

语法:

arn:aws:cloudformation:region:account:stack/stackname/additionalidentifier

示例：

arn:aws:cloudformation:us-east-1:123456789012:stack/MyProductionStack/abc9dbf0-43c2-11e3-a6e8-50fa526be49c

Elastic Beanstalk

语法:

arn:aws:elasticbeanstalk:region:account:application/applicationname
arn:aws:elasticbeanstalk:region:account:applicationversion/applicationname/versionlabel
arn:aws:elasticbeanstalk:region:account:environment/applicationname/environmentname
arn:aws:elasticbeanstalk:region::solutionstack/solutionstackname
arn:aws:elasticbeanstalk:region:account:template/applicationname/templatename

示例：

arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App
arn:aws:elasticbeanstalk:us-east-1:123456789012:applicationversion/My App/My Version
arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/MyEnvironment
arn:aws:elasticbeanstalk:us-east-1::solutionstack/32bit Amazon Linux running Tomcat 7
arn:aws:elasticbeanstalk:us-east-1:123456789012:template/My App/My Template

AWS Identity and Access Management (IAM)

语法:

arn:aws:iam::account-id:root
arn:aws:iam::account-id:user/user-name
arn:aws:iam::account-id:group/group-name
arn:aws:iam::account-id:role/role-name
arn:aws:iam::account-id:policy/policy-name
arn:aws:iam::account-id:instance-profile/instance-profile-name
arn:aws:sts::account-id:federated-user/user-name
arn:aws:sts::account-id:assumed-role/role-name/role-session-name
arn:aws:iam::account-id:mfa/virtual-device-name
arn:aws:iam::account-id:server-certificate/certificate-name

示例：

arn:aws:iam::123456789012:root
arn:aws:iam::123456789012:user/Bob
arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob
arn:aws:iam::123456789012:group/Developers
arn:aws:iam::123456789012:group/division_abc/subdivision_xyz/product_A/Developers
arn:aws:iam::123456789012:role/S3Access
arn:aws:iam::123456789012:role/application_abc/component_xyz/S3Access
arn:aws:iam::123456789012:policy/UsersManageOwnCredentials
arn:aws:iam::123456789012:policy/division_abc/subdivision_xyz/UsersManageOwnCredentials
arn:aws:iam::123456789012:instance-profile/Webserver
arn:aws:sts::123456789012:federated-user/Bob
arn:aws:sts::123456789012:assumed-role/Accounting-Role/Mary
arn:aws:iam::123456789012:mfa/BobJonesMFA
arn:aws:iam::123456789012:server-certificate/ProdServerCert
arn:aws:iam::123456789012:server-certificate/division_abc/subdivision_xyz/ProdServerCert

有关 IAM ARN 的更多信息，请参阅 使用 IAM 中的 IAM ARN。
AWS Storage Gateway

语法:

arn:aws:storagegateway:region:account:gateway/gatewayname
arn:aws:storagegateway:region:account:gateway/gatewayname/volume/volumename
arn:aws:storagegateway:us-east-1:123456789012:gateway/gatewayname/target/targetname

示例：

arn:aws:storagegateway:us-east-1:123456789012:gateway/mygateway
arn:aws:storagegateway:us-east-1:123456789012:gateway/mygateway/volume/*
arn:aws:storagegateway:us-east-1:123456789012:gateway/mygateway/volume/vol-1122AABB
arn:aws:storagegateway:us-east-1:123456789012:gateway/mygateway/target/iqn.1997-05.com.amazon:myvolume

AWS Trusted Advisor

语法:

arn:aws:trustedadvisor:*:account:checks/categorycode/checkid

例如：

arn:aws:trustedadvisor:*:123456789012:checks/fault_tolerance/BueAdJ7NrP

Elastic Load Balancing

语法:

arn:aws:elasticloadbalancing:region:account:loadbalancer/loadbalancername

例如：

arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/myloadbalancer

ARN 中的路径

一些服务允许您为资源名称指定路径。例如，在 Amazon S3 中，资源标识符是一个对象名称，它可以包含斜杠 (/) 来形成路径。同样，IAM 用户名称和组名也可以包含路径。

在某些情况下，路径可以包含一个通配符，即星号 (*)。例如，当您在编写 IAM 策略时，如果希望在 Resource 元素中指定包含路径 product_1234 的所有 IAM 用户，则可以使用通配符，如下所示：

arn:aws:iam::123456789012:user/Development/product_1234/*

同样，在 IAM 策略的 Resource 元素中，您可以在 ARN 的末尾指定 user/* 来表示所有用户或者指定 group/* 来表示所有组，如以下示例所示：

“Resource”:”arn:aws:iam::123456789012:user/*”
“Resource”:”arn:aws:iam::123456789012:group/*”

Note

在基于资源的策略或角色信任策略的 Principal 元素中，您不能使用通配符指定所有用户。任何策略都不支持将组作为委托人。

以下示例显示了 Amazon S3 存储桶的 ARN，其中的资源名称包含一个路径：

arn:aws:s3:::my_corporate_bucket/*
arn:aws:s3:::my_corporate_bucket/Development/*

您不能在 ARN 指定资源类型的部分使用通配符，比如 IAM ARN 中的 user 一词。禁止执行下列操作：

arn:aws:iam::123456789012:u*

AWS 服务命名空间

当创建 AWS IAM 策略或使用亚马逊资源名称 (ARN) 时，您可以使用命名空间来标识 AWS 服务。例如，Amazon S3 的命名空间是 s3，Amazon EC2 的命名空间是 ec2。您可以使用命名空间来标识操作和资源。

以下示例显示了 IAM 策略中 Action 元素的值，以及 Resource 和 Condition 元素中的值使用命名空间来针对操作和资源标识服务。

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “ec2:*”,
“Resource”: [
“arn:aws:ec2:us-west-2:123456789012:customer-gateway/*”,
“arn:aws:ec2:us-west-2:123456789012:dhcp-options/*”,
“arn:aws:ec2:us-west-2::image/*”,
“arn:aws:ec2:us-west-2:123456789012:instance/*”,
“arn:aws:iam::123456789012:instance-profile/*”,
“arn:aws:ec2:us-west-2:123456789012:internet-gateway/*”,
“arn:aws:ec2:us-west-2:123456789012:key-pair/*”,
“arn:aws:ec2:us-west-2:123456789012:network-acl/*”,
“arn:aws:ec2:us-west-2:123456789012:network-interface/*”,
“arn:aws:ec2:us-west-2:123456789012:placement-group/*”,
“arn:aws:ec2:us-west-2:123456789012:route-table/*”,
“arn:aws:ec2:us-west-2:123456789012:security-group/*”,
“arn:aws:ec2:us-west-2::snapshot/*”,
“arn:aws:ec2:us-west-2:123456789012:subnet/*”,
“arn:aws:ec2:us-west-2:123456789012:volume/*”,
“arn:aws:ec2:us-west-2:123456789012:vpc/*”,
“arn:aws:ec2:us-west-2:123456789012:vpc-peering-connection/*”
]
},
{
“Effect”: “Allow”,
“Action”: “s3:*”,
“Resource”: “arn:aws:s3:::example_bucket/marketing/*”
},
{
“Effect”: “Allow”,
“Action”: “s3:ListBucket*”,
“Resource”: “arn:aws:s3:::example_bucket”,
“Condition”: {“StringLike”: {“s3:prefix”: “marketing/*”}}
}
]
}

下表列出了各个 AWS 服务命名空间。

服务 命名空间
Amazon AppStream appstream
Auto Scaling autoscaling
AWS Billing and Cost Management aws-portal
AWS CloudFormation cloudformation
Amazon CloudFront cloudfront
Amazon CloudSearch cloudsearch
AWS CloudTrail cloudtrail
CloudWatch cloudwatch
AWS CodeDeploy codedeploy
AWS Config config
Amazon Cognito cognito-identity
Amazon Cognito Sync cognito-sync
AWS Data Pipeline datapipeline
AWS Direct Connect directconnect
AWS Directory Service ds
DynamoDB dynamodb
Amazon EC2 ec2
Elastic Beanstalk elasticbeanstalk
Elastic Load Balancing elasticloadbalancing
Amazon Elastic MapReduce elasticmapreduce
Amazon ElastiCache elasticache
Amazon Elastic Transcoder elastictranscoder
Amazon Glacier glacier
AWS Identity and Access Management iam
AWS Import/Export importexport
Amazon Kinesis kinesis
AWS Key Management Service kms
Amazon Machine Learning machinelearning
AWS Marketplace aws-marketplace
AWS Marketplace Management Portal aws-marketplace-management
Amazon Mobile Analytics mobileanalytics
AWS OpsWorks opsworks
Amazon RDS rds
Amazon Redshift redshift
Amazon Route 53 route53
Amazon S3 s3
Amazon SES ses
Amazon SimpleDB sdb
Amazon SNS sns
Amazon SQS sqs
AWS Storage Gateway storagegateway
AWS STS sts
AWS Support support
Amazon SWF swf
AWS Trusted Advisor trustedadvisor
Amazon VPC ec2
Amazon WorkSpaces workspaces