188

Is there a command/subcommand that can be passed to the aws utility that can 1) verify that the credentials in the ~/.aws/credentials file are valid, and 2) give some indication which user the credentials belong to? I'm looking for something generic that doesn't make any assumptions about the user having permissions to IAM or any specific service.

The use case for this is a deploy-time sanity check to make sure that the credentials are good. Ideally there would be some way to check the return value and abort the deploy if there are invalid credentials.

John Rotenstein
  • 165,783
  • 13
  • 223
  • 298
smitelli
  • 5,234
  • 2
  • 25
  • 47
  • 3
    Might I suggest that this would be better asked at http://serverfault.com/? Stack Overflow is specifically for programming questions. – Tripp Kinetics Aug 05 '15 at 15:37
  • 5
    @TrippKinetics Yeah, I was on the fence about where to ask. In my mind, the meat of the question was more about programmatically querying an API rather than managing servers per se. – smitelli Aug 05 '15 at 15:53

2 Answers2

287

Use GetCallerIdentity:
aws sts get-caller-identity

Unlike other API/CLI calls it will always work, regardless of your IAM permissions.

You will get output in the following format:

{
    "Account": "123456789012", 
    "UserId": "AR#####:#####", 
    "Arn": "arn:aws:sts::123456789012:assumed-role/role-name/role-session-name"
}

Exact ARN format will depend on the type of credentials, but often includes the name of the (human) user.

It uses the standard AWS CLI error codes giving 0 on success and 255 if you have no credentials.

Jason
  • 6,714
  • 3
  • 30
  • 34
  • 6
    This is a great answer, but if you are using MFA, look out -- it's more complicated. With MFA, you need to use working credentials (i) combined with a MFA token to get different working temporary credentials (ii) and with this solution, you get the same results for credentials (i) or (ii). – Mark Chackerian Jul 27 '17 at 15:33
  • 4
    @MarkChackerian That's not always the case. I have created a user whose MFA is being enforced using [Trek10's policy](https://www.trek10.com/blog/improving-the-aws-force-mfa-policy-for-IAM-users/). With MFA session token not active, if I execute `aws iam get-user --profile test-mfa`, I get: `An error occurred (AccessDenied) when calling the GetUser operation`. However, `aws sts get-caller-identity --profile test-mfa` outputs (similarly, with no MFA session token active) the `test-mfa`'s Account, ARN, and the UserId. – Ville Oct 18 '17 at 23:42
  • Getting error code 254 (not described in your link) and message `An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity oper ation: The security token included in the request is invalid.` – jangorecki Oct 16 '20 at 10:38
71

There is a straight way - aws iam get-user would tell the details about who you are (the current IAM User) - provided the user has iam privileges.

There are couple of CLI calls which support --dry-run flag like aws ec2 run-instances which you tell you whether you have necessary config / cred to perform the operation.

There is also --auth-dry-run which Checks whether you have the required permissions for the command, without actually running the command. If you have the required permissions, the command returns DryRunOperation; otherwise, it returns UnauthorizedOperation. [ From AWS Documentation - Common Options ]

You would be able to list the IAM Access Keys from Management Console which you can cross check to see who has been assigned which key.

The best way to understand which user / role has what privileges is make use of IAM Policy Simulator.

Naveen Vijay
  • 14,286
  • 5
  • 62
  • 82
  • 20
    Ironically, the user I ran the test as got an `AccessDenied` error -- which included the full `arn:aws:iam::123...890:user/somebody` string as part of the error output. – smitelli Aug 05 '15 at 16:19
  • 8
    Entirely possible the user doesn't have permission to 'get-user' themself. :-/ – Jason Jan 25 '17 at 03:58
  • 1
    Yes, I have this situation. In the AWS Console next to User ARN it shows N/A, and the hover over explains that "User arn:aws:iam:...:user/steve is not authorized to perform iam:GetUser on resource: user steve" – Steve Bennett Apr 08 '19 at 22:56