|0.4.8||Jan 10, 2023|
|0.4.7||Oct 22, 2022|
#617 in Network programming
67 downloads per month
Used in scratchstack-http-framewo…
Amazon Resource Name (ARN) and Principal utilities for Scratchstack.
Amazon Resource Name (ARN)
ARNs come in two "flavors":
- An actual resource, such as an EC2 instance (
- A policy resource statement, which in certain instances may contain wildcards (
Arn struct is used actual resources, while the
ArnPattern struct is used to match against
A principal is an entity performing an action. Note that not all principals have ARNs. However, all principals have a "principal source": the domain that owns the identity of the principals.
The principals in the AWS ecosystem are:
- Assumed Role (source:
AWS): An IAM role assumed by an actor with a session name. Has an ARN in the form
- S3 Canonical User (source:
CanonicalUser): An S3 user performing an action on an S3 object or bucket. This is a legacy identifier; IAM identifers are preferred now. Does not have an ARN.
- Federated User (source:
Federated): A user identified from a federation identity source. Has an ARN in the form
- Root User (source:
AWS): The root user for an AWS account. Does not have an ARN. Note that the ARN in the form
arn:_partition_:iam::_account-id_:rootis an alias for any entity in the account, not the root user.
- Service (source:
Service): An AWS(-ish) service represented as a domain name. The domain name may or may not have the region embedded (e.g.
edgelambda.amazonaws.com). Does not have an ARN.
- IAM User (source:
AWS): An IAM user. Has an ARN in the form
Entities that exist but are not principals:
- EC2 Instance: EC2 instances perform actions based on the assumed role tied to the instance profile. The instance
itself has an ARN in the form
- IAM Group: This is used to add policies common to a set of users. Users always act on their own behalf. Has an arn
in the form
ServiceError trait used throughout Scratchstack libraries.