IAM User ARN — Identifying Individual Users
Parse an IAM user ARN to understand how individual AWS users are identified. Covers user paths, the difference between user and role ARNs, and root account ARNs.
Detailed Explanation
IAM User Identification
IAM user ARNs identify individual human or programmatic users within an AWS account. Like all IAM ARNs, the region field is empty because IAM is a global service.
Example ARN
arn:aws:iam::123456789012:user/developers/jane.doe
Parsed Components
| Component | Value |
|---|---|
| Partition | aws |
| Service | iam |
| Region | (empty) |
| Account ID | 123456789012 |
| Resource Type | user |
| Resource ID | developers/jane.doe |
User Paths for Organization
The path developers/ is an organizational grouping mechanism. You can create users with paths like /developers/, /admins/, /service-accounts/ and then write IAM policies that target specific paths using wildcards.
Root Account ARN
Every AWS account also has a root user ARN that looks different:
arn:aws:iam::123456789012:root
The root ARN has no resource type prefix and uses root directly as the resource. This ARN is frequently used in trust policies and KMS key policies to represent "any principal in this account."
Users vs. Roles
While user ARNs (user/name) identify persistent identities with long-term credentials (access keys), role ARNs (role/name) identify assumable identities with temporary credentials. AWS best practice strongly favors roles over users for both human and programmatic access.
Use Case
Auditing IAM configurations by parsing user ARNs from CloudTrail logs to identify which specific users performed actions. Also used in resource-based policies to grant permissions to specific individuals.