3

I'm playing around with writing IAM policies for an AWS WAF regional resource. I've created a rule for which I'm trying to see if I can write an IAM policy. That's where I realized that IAM policies require ARNs and not just resource Ids.

I used the GetRule API to see if that returns the ARN of the rule and it doesn't. It only returns the ID. I checked the AWS docs now:

1. https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
2. https://docs.aws.amazon.com/waf/latest/developerguide/waf-api-permissions-ref.html

The ARN pattern is a little confusing, the first document points out the pattern to be arn:aws:waf-regional::account-id:resource-type/resource-id, but the example below has a specific region in there.

Same happens with the second document for writing IAM policies, WAF regional does seem to have a region in the ARN. Now where can I get the ARN for this resource? And which document should I be referring as the source of truth?

Thanks!

neuro
  • 14,948
  • 3
  • 36
  • 59
chrisrhyno2003
  • 3,906
  • 8
  • 53
  • 102

1 Answers1

2

I found this frustrating as well. awscli get-rule does not return the ARN. get-web-acl does however so I used the pattern from that and it worked when passing it to the ResourceARN field for the other rule endpoints. I can't say whether it will work for use in IAM policies but this is the format that worked for me:

arn:aws:waf-regional:<your-region>:<your-account-id>:rule/<rule-id>
Pathead
  • 717
  • 10
  • 24