Is there a command/subcommand that can be passed to the aws
utility that can 1) verify that the credentials in the ~/.aws/credentials
file are valid, and 2) give some indication which user the credentials belong to? I'm looking for something generic that doesn't make any assumptions about the user having permissions to IAM or any specific service.
The use case for this is a deploy-time sanity check to make sure that the credentials are good. Ideally there would be some way to check the return value and abort the deploy if there are invalid credentials.
Use GetCallerIdentity:
aws sts get-caller-identity
Unlike other API/CLI calls it will always work, regardless of your IAM permissions.
You will get output in the following format:
{
"Account": "123456789012",
"UserId": "AR#####:#####",
"Arn": "arn:aws:sts::123456789012:assumed-role/role-name/role-session-name"
}
Exact ARN format will depend on the type of credentials, but often includes the name of the (human) user.
It uses the standard AWS CLI error codes giving 0 on success and 255 if you have no credentials.
There is a straightforward way - aws iam get-user
would tell the details about who you are (the current IAM User) - provided the user has iam
privileges.
There are couple of CLI calls which support --dry-run
flag like aws ec2 run-instances
which you tell you whether you have necessary config / cred to perform the operation.
There is also --auth-dry-run
which Checks whether you have the required permissions for the command, without actually running the command. If you have the required permissions, the command returns DryRunOperation; otherwise, it returns UnauthorizedOperation. [ From AWS Documentation - Common Options ]
You would be able to list the IAM Access Keys from Management Console which you can cross check to see who has been assigned which key.
The best way to understand which user / role has what privileges is make use of IAM Policy Simulator.
AccessDenied
error -- which included the full arn:aws:iam::123...890:user/somebody
string as part of the error output.
If you have your profile-name along with access-key and secret-key configured into .credentails file you can run the following command to check for its validity
aws sts get-caller-identity --profile <your-profile-name>
If everything is okay, it'll return output like the following
{
"UserId": <Your user id>,
"Account": <your account number>,
"Arn": <your arn output>
}
I was in need of the same so I wrote aws-role
I also wanted that the command outputs session time remains before logout:
https://i.stack.imgur.com/ecjyD.png
I used it in many shell scripts to automate my AWS use -- worked well for me.
my script parse ~/.aws/credentials
PS: also thinking to enhance it to support JSON output
Success story sharing
aws iam get-user --profile test-mfa
, I get:An error occurred (AccessDenied) when calling the GetUser operation
. However,aws sts get-caller-identity --profile test-mfa
outputs (similarly, with no MFA session token active) thetest-mfa
's Account, ARN, and the UserId.An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity oper ation: The security token included in the request is invalid.
aws iam get-user
). After switching my default the suggested command worked properly