Help Center/ Identity and Access Management_Identity and Access Management (New Edition)/ User Guide/ References/ Using URNs to Identify Huawei Cloud Resources
Updated on 2025-11-07 GMT+08:00
View PDF
Share

Using URNs to Identify Huawei Cloud Resources

Definition

A uniform resource name (URN) is the unique identifier of a cloud service resource. When you need to specify a resource on Huawei Cloud, for example, in an identity policy or API call, you are required to use the resource URN. You should use and share URNs with caution, but not consider them as confidential information.

URN Format

<service-name>:<region>:<account-id>:<type-name>:<resource-path>

  • service-name: the abbreviation of a cloud service name, for example, ecs.
  • region: the region where the resource is located, for example, cn-north-1. For a global service, the region can be an asterisk (*) or left blank.
  • account-id: the account ID of a tenant. For a public resource, for example, a system identity policy, use system as its account ID.
  • type-name: the resource type. For example, enter instance for an ECS.
  • resource-path: the resource path, which may be the resource name, ID, or path, which depends on the cloud service. The resource path may contain colons (:).

Example URN

IAM user

iam::{account_id}:user:{user_name}

User group

iam::{account_id}:group:{group_name}

Agency or trust agency

iam::{account_id}:agency:{agency_name}

Service-linked agency

iam::{account_id}:agency:service-linked-agency/{service_principal}/{agency_name}

Custom identity policy

iam::{account_id}:policy:{policy_name}

System-defined identity policy

iam::system:policy:CCEFullPolicy

Assumed-agency/trust agency session

sts::{account_id}::assumed-agency:{agency_name}/{agency_session_name}

agency_session_name in the URN of the assumed-agency/trust agency session obtained through POST /v5/agencies/assume is the value of agency_session_name in the request body of this interface.

agency_session_name in the URN of the assumed-agency session obtained through POST /v3.0/OS-CREDENTIAL/securitytokens is fixed to null.

agency_session_name in the URN of the session after an agency or trust agency is switched on the console is fixed to null.

URN Format of a Specific Resource

The URN format varies depending on the cloud service and resource type. Some URNs can contain paths, variables, or wildcards. For the URN format of a specific resource, see Actions Supported by Identity Policy-based Authorization. Then, open the chapter of the specified cloud service and navigate to the "Resource Types" section.

Using Resource Path Wildcards in Identity Policies

You can use the wildcard (*) in the "Resource" element of an identity policy to match URNs.

You can use "agency:*" to indicate all agencies and trust agencies in an account. For example, you can attach the following identity policy to an identity to query all trust agencies in the account: 
{
	"Version": "5.0",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"iam:agencies:listV5"
		],
		"Resource": [
			"iam:*:8c1eef3a241945f69c3d3a6b0252e783:agency:*"
		]
	}]
}
You can also use wildcards in different parts of the URN. For example, you can attach the following identity policy to an identity to assume any trust agency of any other account (your account must be trusted by the other account): 
{
	"Version": "5.0",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"sts:agencies:assume"
		],
		"Resource": [
			"iam:*:*:agency:*"
		]
	}]
}

Parent topic: References