Article by Nick Frichette

Derive a Principal ARN from an AWS Unique Identifier

Original Research

Reversing AWS IAM unique IDs by Aidan Steele
Additional Resources

Reference: Unique identifiers

When operating in an AWS environment, you may come upon a variety of IAM unique identifiers. These identifiers correspond to different types of AWS resources, and the type of the resource can be identified by the prefix (the first four characters).

For IAM users (AIDA) and roles (AROA) you can reverse the unique ID to its corresponding ARN by referencing it in a resource-based policy.

To do this, we can use the example ID of AROAJMD24IEMKTX6BABJI from Aidan Steele's excellent explanation of the topic. While this technique should work with most resource-based policies, we will use a role's trust policy.

First, we will create a role with the following trust policy:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "AROAJMD24IEMKTX6BABJI"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

We will then save the policy and refresh the page.

Note

You may get a warning in the policy editor saying, "Invalid Role Reference: The Principal element includes the IAM role ID AROAJMD24IEMKTX6BABJI. We recommend that you use a role ARN instead", however this will not prevent you from saving the policy.

After refreshing the page the policy will now be as follows:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::607481581596:role/service-role/abctestrole"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

This reveals the ARN of the role associated with the original unique identifier.