Amazon Web Services (AWS) - List Caller Identity using the AWS CLI
by
Jeremy Canfield |
Updated: April 15 2024
| Amazon Web Services (AWS) articles
This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.
- An IAM Policy allows certain actions (such create) on certain resources (such as EC2)
- An IAM User is typically a users account (such as john.doe) that contains an IAM Identity-Based Policy that allows certain actions (such as list) on certain resources (such S3)
- An IAM Role contains an IAM Policy that allows certain actions (such create) on certain resources (such as EC2) - Let's say the Identity-Based Policy attached to john.doe does NOT allow create S3 - john.doe could Assume a Role that allows create S3
- Assume Role or Switch Role using Python boto3
- Assume Role or Switch Role using Terraform
- Assume Role or Switch Role using the AWS CLI
- Often, a Role will have two Policies:
The aws sts get-caller-identity command can be used to return the User ID, Account Number, and Amazon Resource Number (ARN) of the user issing a command using the AWS CLI.
~]$ aws sts get-caller-identity
{
"UserId": "AIDA2MITL76GLUA6B2DRP",
"Account": "123456789012",
"Arn": "arn:aws:iam::123456789012:user/johndoe"
}
By default, the default profile in your AWS credentials file will be used.
~]$ cat /home/john.doe/.aws/credentials
[default]
aws_secret_access_key = Xw3kZVaxTfvDKBMGf6R79Unf5LG4kdf9piuHfhn13
aws_access_key_id = 34VGB4HYOC2ABCO67BKD
Let's say you have two or more profiles in your AWS credentials file.
~]$ cat /home/john.doe/.aws/credentials
[default]
aws_secret_access_key = Xw3kZVaxTfvDKBMGf6R79Unf5LG4kdf9piuHfhn13
aws_access_key_id = 34VGB4HYOC2ABCO67BKD
[janedoe]
aws_secret_access_key = ABCDEFG123456789ABCDEFG123456789ABCDEFG12
aws_access_key_id = 123456789ABCDEFG1234
The --profile option can be used to used a certain profile in your AWS credentials file.
~]$ aws sts get-caller-identity --profile janedoe
{
"UserId": "ZCD152GB835DBD568ABD182",
"Account": "123456789012",
"Arn": "arn:aws:iam::123456789012:user/janedoe"
}
It is also noteworthy that instead of a user or role being returned, you may see assumed-role.
~]$ aws sts get-caller-identity --profile jackdoe
{
"UserId": "AROAXMKSNBAOZOTCVGUFK:jackdoe",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/admin-role/jackdoe"
}
Did you find this article helpful?
If so, consider buying me a coffee over at 