...
/Access elements: Resource, Action, and Metadata
Access elements: Resource, Action, and Metadata
Learn about the three other access elements and the components that constitute a request made to an AWS API.
We'll cover the following...
Resource
A resource is an AWS entity that serves as the target of an operation. When we delete an S3 bucket, the resource is the bucket. When a user assumes a role, the resource is the role. Most requests have a resource.
An Amazon Resource Name (ARN) is a global identifier for resources inside AWS. Usually, these are what we need to input when we want to specify an entity.
An ARN is made up of several parts:
arn:partition:service:region:account-id:resource-id
- The
partitionis usuallyaws, the exceptions are regions in China and the US GovCloud. - The
serviceis the AWS product, such ass3oriam. - The
regionspecifies which region the resource is located if any. There are global resources, such as IAM users, that do not have a region. - The
account-idis the 12-digits account number. - And finally, the
resource-idis the local identifier of the resource. It can specify sub-resources too, such as the name of objects inside an S3 bucket.
For example, an sts:AssumeRole operation specifies the role to assume by its ARN: arn:aws:iam::123456789012:role/test-role. This resource is inside the IAM service, which is non-regional, the region is missing, in the 123456789012 ...