AWS STS: Get Caller Identity (Who Am I?)
Check which AWS identity your CLI is using with aws sts get-caller-identity. Returns account ID, ARN, and user/role name.
STS Operations
Detailed Explanation
Checking Your AWS Identity
The aws sts get-caller-identity command is the AWS CLI equivalent of "whoami". It returns the account, ARN, and identity associated with your current credentials — without requiring any parameters.
Basic Usage
aws sts get-caller-identity
Example Output
{
"UserId": "AIDAEXAMPLEUSERID",
"Account": "123456789012",
"Arn": "arn:aws:iam::123456789012:user/developer"
}
With a Named Profile
aws sts get-caller-identity --profile production
This verifies which identity is configured for each named profile — essential before running destructive commands.
Common Output Patterns
| Identity Type | ARN Format |
|---|---|
| IAM User | arn:aws:iam::123456789012:user/username |
| IAM Role (assumed) | arn:aws:sts::123456789012:assumed-role/role-name/session |
| Root Account | arn:aws:iam::123456789012:root |
| SSO User | arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_.../user@email |
Extract Just the Account ID
aws sts get-caller-identity --query "Account" --output text
In Scripts
ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
echo "Running in account: $ACCOUNT_ID"
When to Use
- Before destructive operations — verify you are in the right account
- Debugging permission errors — confirm which identity is being used
- Validating credential setup — test that AWS CLI is configured correctly
- In CI/CD pipelines — log which role the pipeline is assuming
Use Case
Verifying AWS CLI configuration, debugging authentication issues, confirming which account you are operating in before running destructive commands, or validating assumed role credentials.