What is the relationship between Turbot URNs and AWS ARNs?

AWS uses Amazon Resource Names (ARNs) to provide full unique identifiers for all resources.

Turbot URNs follow the AWS ARN format whenever possible, but has a number of key differences designed to improve the usability and functionality of URNs in Turbot.

First, the fundamental structure of Turbot URNs for AWS resources has a different order to AWS URNs. Specifically, AWS has designed their ARNs from an AWS point of view which has an order of importance of service > region > account. For Turbot, we consider the order of importance to be account > region > service.

# AWS ARN
arn:aws:{awsServiceName}:{awsRegion}:{awsAccountId}:{awsResourceDetail}

# Turbot URN for AWS Resource
urn:turbot:{clusterId}:{accountId}:aws:{awsAccountId}:{region}:{awsServiceName}:{awsResourceDetail}

For S3, Turbot includes region information as part of the URN. This places S3 buckets inside the region for the resource hierarchy.

# AWS S3 Bucket ARN
arn:aws:s3:::my_corporate_bucket

# Turbot URN for the S3 bucket
urn:turbot:c1:abc:aws:12345689012:us-east-1:s3:my_corporate_bucket

For IAM, Turbot removes the path information from the URN of Users and Roles. The path is not actually required to uniquely identify the user or role (which have unique names) and the path cannot be determined during API actions like deletion (it’s not available in the API event and we cannot lookup the resource after it has been deleted).

# AWS IAM User
arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob

# Turbot URN for AWS IAM User
urn:turbot:c1:abc:aws:123456879012::iam:user/Bob

IAM Policies include path information, but have a new special type to separate AWS managed policies separate from custom policies. Turbot needs to treat the AWS managed policy as local to the account without having it conflict with a truly local policy. We achieve this by adding a new IAM type called policy-aws which is used to represent AWS managed policies in Turbot URNs.

# AWS Policy ARN
arn:aws:iam::aws:policy/AdministratorAccess

# Turbot URN for AWS Managed Policy
urn:turbot:c1:abc:aws:123456789012::iam:policy-aws/AdministratorAccess

# Custom Managed Policy ARN
arn:aws:iam::123456789012:policy/MyPolicy

# Turbot URN for Custom Managed Policy
urn:turbot:c1:abc:aws:123456789012::iam:policy/MyPolicy
Was this article helpful?
0 out of 0 found this helpful