Access elements: Resource, Action, and Metadata

Learn about the three other access elements and the components that constitute a request made to an AWS API.

We'll cover the following

Resource

A resource is an AWS entity that serves as the target of an operation. When we delete an S3 bucket, the resource is the bucket. When a user assumes a role, the resource is the role. Most requests have a resource.

An Amazon Resource Name (ARN) is a global identifier for resources inside AWS. Usually, these are what we need to input when we want to specify an entity.

An ARN is made up of several parts:

arn:partition:service:region:account-id:resource-id
  • The partition is usually aws, the exceptions are regions in China and the US GovCloud.
  • The service is the AWS product, such as s3 or iam.
  • The region specifies which region the resource is located if any. There are global resources, such as IAM users, that do not have a region.
  • The account-id is the 12-digits account number.
  • And finally, the resource-id is the local identifier of the resource. It can specify sub-resources too, such as the name of objects inside an S3 bucket.

For example, an sts:AssumeRole operation specifies the role to assume by its ARN: arn:aws:iam::123456789012:role/test-role. This resource is inside the IAM service, which is non-regional, the region is missing, in the 123456789012 account, where it’s a role named test-role.

Each resource type uses a different structure and they are detailed in the reference documentation for each service.

For example, the S3 service defines these resource types:

Get hands-on with 1200+ tech skills courses.