IAM Role ARN — Cross-Account and Service Roles
Parse an AWS IAM Role ARN to understand how roles are identified. Covers role paths, cross-account assume-role trust policies, and service-linked roles.
Detailed Explanation
IAM Role ARN Structure
IAM roles are one of the most fundamental building blocks of AWS security. Their ARNs follow the standard IAM pattern: no region (IAM is global), with the account ID and a role/ resource type prefix.
Example ARN
arn:aws:iam::123456789012:role/application/MyAppRole
Parsed Components
| Component | Value |
|---|---|
| Partition | aws |
| Service | iam |
| Region | (empty) — IAM is global |
| Account ID | 123456789012 |
| Resource Type | role |
| Resource ID | application/MyAppRole |
Role Paths
The resource ID application/MyAppRole includes a path (application/) and the role name (MyAppRole). Paths are optional organizational prefixes used to group related roles. They are significant in IAM policies — a policy targeting arn:aws:iam::123456789012:role/application/* grants access to all roles under the application/ path but not roles in other paths.
Cross-Account Role Assumption
IAM role ARNs are used in sts:AssumeRole calls and trust policies. When Account B wants to access resources in Account A, Account A creates a role with a trust policy that specifies Account B's root or specific role ARN as the trusted principal:
{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::987654321098:root" },
"Action": "sts:AssumeRole"
}
Service-Linked Roles
AWS services create special service-linked roles with the path /aws-service-role/. For example: arn:aws:iam::123456789012:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing.
Use Case
Setting up cross-account access patterns where a CI/CD pipeline in a shared-services account assumes roles in multiple target accounts for deployment. The role ARN is the key reference in both the trust policy and the assume-role API call.