What is the relationship between Turbot URNs and AWS ARNs?

AWS uses Amazon Resource Names (ARNs) to provide full unique identifiers for all resources.

Turbot URNs follow the AWS ARN format whenever possible, but has a number of key differences designed to improve the usability and functionality of URNs in Turbot.

First, the fundamental structure of Turbot URNs for AWS resources has a different order to AWS URNs. Specifically, AWS has designed their ARNs from an AWS point of view which has an order of importance of service > region > account. For Turbot, we consider the order of importance to be account > region > service.


# Turbot URN for AWS Resource

For S3, Turbot includes region information as part of the URN. This places S3 buckets inside the region for the resource hierarchy.

# AWS S3 Bucket ARN

# Turbot URN for the S3 bucket

For IAM, Turbot removes the path information from the URN of Users and Roles. The path is not actually required to uniquely identify the user or role (which have unique names) and the path cannot be determined during API actions like deletion (it’s not available in the API event and we cannot lookup the resource after it has been deleted).

# AWS IAM User

# Turbot URN for AWS IAM User

IAM Policies include path information, but have a new special type to separate AWS managed policies separate from custom policies. Turbot needs to treat the AWS managed policy as local to the account without having it conflict with a truly local policy. We achieve this by adding a new IAM type called policy-aws which is used to represent AWS managed policies in Turbot URNs.

# AWS Policy ARN

# Turbot URN for AWS Managed Policy

# Custom Managed Policy ARN

# Turbot URN for Custom Managed Policy
Was this article helpful?
0 out of 0 found this helpful