AWS ARN Parser & Builder

Parse any AWS ARN into its six components — partition, service, region, account-id, and resource — or build a valid ARN from individual fields. Switch between Parse and Build modes. Handles all resource formats: type/id, type:id, and plain id. Works entirely in the browser with no data sent anywhere.

How to use the AWS ARN Parser & Builder

Parse mode: paste any ARN into the input field and click Parse (or just type — it updates live). The tool splits the ARN at its colon-delimited sections and displays a table of components: partition, service, region, account-id, resource type, and resource ID. The resource section is parsed further if it contains a / or : separator between a resource type and resource ID.

Build mode: fill in the individual fields — partition (aws, aws-cn, or aws-us-gov), service short name (e.g. s3, iam, lambda), region (leave blank for global services like IAM and S3), account ID, optional resource type, resource ID, and the separator between type and ID (/ for most resources, : for some like CloudWatch log groups). The assembled ARN appears live below.

Click Example to load a real IAM role ARN and see its breakdown. Use Copy to copy the assembled ARN or parsed table to the clipboard.

What is an AWS ARN?

An Amazon Resource Name (ARN) is a globally unique identifier for every resource in AWS. ARNs follow the format arn:partition:service:region:account-id:resource. The partition identifies the AWS infrastructure group: aws for standard regions, aws-cn for the Beijing/Ningxia China regions, and aws-us-gov for GovCloud regions. The service is the AWS product short name (e.g. ec2, s3, iam, lambda). Region and account-id are omitted for global services (IAM, S3 bucket ARNs in policies) or when not applicable.

The resource section is the most variable part. It can be a plain resource name (my-bucket), a typed resource with a slash separator (role/MyRole), a typed resource with a colon separator (log-group:/aws/lambda/my-fn), or a hierarchical path (table/Orders/index/OrdersByDate). This inconsistency is one of the reasons parsing ARNs by hand is error-prone — each service has its own conventions.

ARNs appear in IAM policies (as Resource values), CloudFormation templates, CDK code, Terraform state, CloudWatch alarms, and SDK calls. Understanding the structure lets you write precise IAM policies, debug "Access Denied" errors by checking which ARN the action targeted, and construct resource references programmatically across accounts and regions.

Common use cases

• IAM policy authoring — build the exact ARN needed for a Resource field without guessing format or forgetting the account number.
• Cross-account access debugging — paste the ARN from a "Access Denied" log and verify that region, account-id, and resource path are what you expected.
• Terraform / CDK development — decompose an ARN output from terraform state show or the console to extract individual fields for use as variables.
• Multi-partition deployments — switch the partition field to generate the equivalent GovCloud or China-region ARN for a mirrored resource.
• Documentation and runbooks — quickly explain the structure of a specific ARN to teammates unfamiliar with the service's naming conventions.
• Script validation — sanity-check an ARN your automation script assembled before passing it to an SDK call.