# Amazon Resource Names (ARNs) in Amazon Quick Sight
<a name="qs-arns"></a>

Amazon Resource Names (ARNs) uniquely identify AWS resources. An ARN identifies a resource unambiguously across all of AWS, for example in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls. To retrieve the ARN of an Amazon Quick Sight resource, you can use the `Describe` operation on the relevant resource. 

You can use this section to learn how ARNs work. The material here provides examples are geared specifically for Amazon Quick Sight.

**Topics**
+ [ARN Formats](qs-arn-format.md)
+ [Amazon Quick Sight Resource ARNs](qs-resource-arns.md)

# ARN Formats
<a name="qs-arn-format"></a>

ARNs are delimited by colons, and composed of *segments*, which are the parts separated by colons (`:`). The specific components and values used in the segments of an ARN depend on which AWS service the ARN is for. The following example shows how ARNs are constructed.

```
arn:partition:service:region:account-id:resource-id
arn:partition:service:region:account-id:resource-type/resource-id
arn:partition:service:region:account-id:resource-type:resource-id
```

These ARNs contain the following segments:

***`partition`*** – The partition that the resource is in. For standard AWS Regions, the partition is *aws*. If you have resources in other partitions, the partition is *aws-partitionname*. For example, the partition for resources in the China (Beijing) Region is `aws-cn`. 

***`service`*** – The service namespace that identifies the AWS product. For example, `quicksight` identifies Amazon Quick Sight, `s3` identifies Amazon S3, `iam` identifies IAM, and so on. 

***`region`*** – The AWS Region that the resource resides in. The ARNs for some resources don't require an AWS Region, so this component might be omitted in some cases, like in the case of S3. Amazon Quick Sight ARNs require an AWS Region. 

***`account-id`*** – The ID of the AWS account that owns the resource. When you use the account number in an ARN or an API operation, you omit the hyphens (for example, 123456789012). The ARNs for some resources don't require an account number, so this component might be omitted. Amazon Quick Sight ARNs require an AWS account number. However, the account number and the AWS Region are omitted from S3 bucket ARNs, as shown following.

```
arn:aws:s3:::bucket_name
arn:aws:s3:::bucket_name/key_name
```

***`resource`* or *`resource-type`*** – The content of this part of the ARN varies by service. A resource identifier can be the name or ID of the resource (for example, `user/Bob` or `instance/i-1234567890abcdef0`) or a resource path. For example, some resource identifiers include a parent resource ( `sub-resource-type/parent-resource/sub-resource`) or a qualifier such as a version ( *resource-type*:*resource-name*:*qualifier*). 

Some resource ARNs can include a path, a variable, or a wildcard. 

You can use wildcard characters (`*` and `?`) within any ARN segment . An asterisk (`*`) represents any combination of zero or more characters, and a question mark (`?`) represents any single character. You can use multiple \$1 or ? characters in each segment. If you are using the ARN for permissions, avoid using `*` wildcards if possible, to limit access to only the required elements. Following are some examples of using paths, wildcards, and variables.

For the following example, we use an S3 ARN. You might use this when you give permissions to S3 in an IAM policy. This S3 ARN shows a path and file are specified. 

**Note**  
The term *key name* is used to describe what looks like a path and file after `bucketname/`. These are called key names because a bucket doesn't actually contain folder structures like those used in your computer's file system. Instead the slash (`/`) is a delimiter that helps to make the organization of the bucket more intuitive. In this case, the bucket name is `amzn-s3-demo-bucket`, and the key name is `developers/design_info.doc`. 

```
arn:aws:s3:::amzn-s3-demo-bucket/my-data/sales-export-2019-q4.json
```

If you want to identify all the objects in the bucket, you can use a wildcard to indicate that all key names (or paths and files) are included in the ARN, as follows.

```
arn:aws:s3:::amzn-s3-demo-bucket/*
```

You can use part of a key name plus the wildcard to identify all the objects that begin with a specific pattern. In this case, it resembles a folder name plus a wildcard, as shown following. However, this ARN also includes any "subfolders" inside of `my-data`.

```
arn:aws:s3:::amzn-s3-demo-bucket/my-data/*
```

You can specify a partial name by adding a wildcard. This one identifies any objects beginning with `my-data/sales-export*`. 

```
arn:aws:s3:::amzn-s3-demo-bucket/my-data/sales-export*
```

In this case, specifying using this wildcard includes the objects with names like the following:
+ `my-data/sales-export-1.xlsx`
+ `my-data/sales-export-new.txt`
+ `my-data/sales-export-2019/file1.txt`

You can use wildcards of both types (asterisks and question marks) in combination or separately, as shown following.

```
arn:aws:s3:::amzn-s3-demo-bucket/my-data/sales-export-2019-q?.*

arn:aws:s3:::amzn-s3-demo-bucket/my-data/sales-export-20??-q?.*
```

Or, if you want to future-proof the ARN, you can replace the entire year with a wildcard, rather than just using wildcards for the last two digits.

```
arn:aws:s3:::amzn-s3-demo-bucket/my-data/sales-export-????-q?.*
arn:aws:s3:::amzn-s3-demo-bucket/my-data/sales-export-*-q?.*
```

To read more about S3 ARNs, see [Specifying Resources in a Policy](https://docs.aws.amazon.com//AmazonS3/latest/dev/s3-arn-format.html) and [Object Key and Metadata](https://docs.aws.amazon.com//AmazonS3/latest/dev/UsingMetadata.html) in the *Amazon Simple Storage Service User Guide.*

# Amazon Quick Sight Resource ARNs
<a name="qs-resource-arns"></a>

The following resource types are defined by Amazon Quick Sight: user, group, dashboard, and topic. These are used in Amazon Quick Sight API calls and as elements of IAM permission statements. To find up-to-date information for Amazon Quick Sight (service prefix: quicksight) resources, actions, and condition context keys for use in IAM permission policies, see [Actions, Resources, and Condition Keys for Amazon Quick Sight](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonquicksight.html) in the *IAM User Guide.* 


| Resource Type | ARN Format | Condition Keys | 
| --- | --- | --- | 
| user | arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:user/\$1\$1ResourceId\$1 | N/A | 
| group | arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:group/\$1\$1ResourceId\$1 | N/A | 
| dashboard | arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:dashboard/\$1\$1ResourceId\$1 | N/A | 
| topic | arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:topic/\$1\$1ResourceId\$1 | N/A | 
| analysis | arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:analysis/\$1\$1ResourceId\$1 | N/A | 
| template | arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:template/\$1\$1ResourceId\$1 | N/A | 
| theme | arn:\$1\$1Partition\$1:quicksight:\$1\$1Region\$1:\$1\$1Account\$1:theme/\$1\$1ResourceId\$1 | N/A | 

Resource ARNs are constructed from the segments that describe your resource. For example, a resource ARN for an analysis consists of the following segments. 

```
arn:<partition>:quicksight:<aws-region>:<aws-account-id>:<resource-type>/<resource-id>
```

The segments are defined as follows:
+ *`partition`* – For example, `aws` or `aws-cn`.
+ *`aws-region`* – The AWS Region that contains the resource. 
+ *`aws-account-id`* – The AWS account that contains the resource. This excludes the hyphens.
+ *`resource-type`* – The type of resource. For this example, this is `analyses`. For a dashboard, it is `dashboard`.
+ *`resource-id`* – The unique identifier for a specific resource.

The AWS Region, resource type, and resource ID are identified in the URL of the resource when you are using the Amazon Quick Sight console. For example, let's say this is the URL of the analysis you want an ARN for.

```
https://us-east-2.quicksight.aws.amazon.com/sn/analysis/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
```

The AWS Region is `us-east-2`. The resource-type is `analysis`. The resource ID in this URL is `a1b2c3d4-5678-90ab-cdef-EXAMPLE11111`. If your account number is `111122223333`, then the ARN for this analysis is as follows.

```
arn:aws:quicksight:us-east-2:111122223333:analysis/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
```

To get your AWS account number, contact your system administrator.

**To get the dataset ID**

1. Navigate to the desired dataset page. You will be able to find the ID in the url. For example, `https://us-east-1.quicksight.aws.amazon.com/sn/data-sets/085fb6a4-c606-4949-b1ee-52cffadac462/`. The dataset ID in this instance would be `085fb6a4-c606-4949-b1ee-52cffadac462`.

1. Alternatively, you can use an API call to find the dataset ID.

   `aws quicksight list-data-sets --aws-account-id your-aws-account-id`

   You will see the dataset ID in the result, for example:

   `"DataSetId": "a165d37b-c071-4648-8039-e4db5e5f7f08"`

**To get the data source ID**
+ Use an API call to find the data source ID.

  `aws quicksight list-data-sources --aws-account-id your-aws-account-id`

  You will see the data source ID in the result, for example:

  `"DataSourceId": "1491fa60-1f19-4c0f-9f56-c72413a24986"`