When working with AWS Security, one thing that often confuses beginners is IAM Identifiers.
You may have seen terms like ARN, UserID, RoleID, and FriendlyName.
Wonder why AWS need so many identifiers for the same thing?
Here we will break it down clearly so you can understand what each identifier is, why it exists and when you will use it.
What are AWS IAM Identifiers?
In AWS Identity and Access Management (IAM), every identity and resource must be uniquely identifiable, so AWS achieves this using different types of identifiers, each designed for a specific purpose:
In simple terms, consider:
- Friendly Name = Display Name
- ARN = Full Address
- Unique ID = Government-issued ID number
Let's break each in detail:
1. Friendly Name
Friendly names are the names that we assign to IAM resources, such as
- IAM User
- IAM Role
- IAM Group
- IAM Policy
Example:
IAM user = “mayur”
IAM role = "ec2-s3-readonly-role”
Why Friendly name exists:
- Easy for humans to read and remember
- Used in the AWS Console
- Used in CLI commands and scripts
Important
- Must be unique within the same account
Friendly names are not globally unique, so two AWS accounts can have the same friendly name.
2. ARN
An ARN is similar to a fully qualified domain name, a globally unique identifier.
Example:
arn:aws:iam::123456789012:user/mayur
ARN structure:
arn:partition:service:region:account-id:resource
Why ARNs matter:
- Used in IAM policies
- Used by AWS services internally
- Required for cross-account access
AWS trust ARNs, not the friendly names.
3. Unique ID
Every IAM resource also gets a unique ID assigned by AWS.
Example:
AIDAJQABLZS4A3QDU576Q
Why AWS uses this:
- Friendly names can change
- ARNs can change if the path changes
- Unique IDs ensure consistency
You will not use these directly, but AWS relies on them internally, as they cannot be changed or reused even if resources are deleted.
4. Paths
Paths allow you to logically group IAM resources
Example:
/dev/admins/dev-admin
Paths:
- don’t affect permission
- Help with Organisation
- Are included in the ARN
When paths are useful:
- Large Enterprises
- Multiple teams
- Environment separation
How these Identifiers work together:
Each identifier serves a different audience:
- Humans —> Friendly Names
- Policies & Services —> ARNs
- AWS Internal systems —> Unique IDs
Common Mistakes to Avoid:
- Assuming friendly names are globally unique
- Renaming IAM resources without checking the impact on other resources
- Confusing role ARN with Instance profile ARN
- Using wildcards carelessly in ARN policies
Once you understand why each identifier exists, IAM becomes easier and safer to manage.
Top comments (1)
Really clear and beginner friendly article — thank you!