[AWS](EN) Reason for AWS IAM ARN changing to a unique identifier in policy and solution
Environment and Prerequisite
- AWS
Background
- AWS IAM Role ARN is automatically changed to unique identifier in AWS KMS Key Policy at a certain moment
- At first I didn’t know it was a unique identifier and it was changed to like a hash string. So I asked to AWS
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:role/role-name",
"AIDACKCEVSQ6C2EXAMPLE",
"AROADBQP57FF2AEXAMPLE"
}
AWS IAM ARN Unique Identifier
According to AWS official document, there is an unique indentifier.
“When IAM creates a user, user group, role, policy, instance profile, or server certificate, it assigns a unique ID to each resource.”
So we can consider above all strings as unique identifiers. Above example is on official document.
Reason of AWS IAM ARN changed to unique identifier in policy
The reason of why AWS IAM ARN changed to unique identifier in policy is because it is deleted. Even though create with same name, its ARN will have a new unique identifier so it is recommended to erase and add new ARN. In the end, if ARN changes to a unique identifier like that in above policy it has been deleted anyway. So it seems right to delete it if it exist.