← All posts
2 min read

Read your AWS caller identity deeply

#aws#cli#iam#security#identity
📑 On this page

Part 81 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.

What we are learning

get-caller-identity answers which credentials are signing the current command. Run it before permission-sensitive or destructive work.

Before you run it

aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"

IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.

The command

aws sts get-caller-identity

IAM writes can take a short time to propagate. Inspect the resource after every change.

Inspect the result

aws sts get-caller-identity \
  --query "{Account:Account,Arn:Arn,PrincipalId:UserId}" \
  --output table

The ARN shape reveals whether the caller is an IAM user, assumed role session, federated identity, or root user.

One tiny variation

aws sts get-caller-identity --profile default
aws sts get-caller-identity --profile staging

Compare named profiles before changing resources in multiple accounts.

Common mistake

Do not infer identity from the terminal prompt or profile name. Credentials can be overridden by environment variables, role profiles, containers, and instance metadata.

Cleanup

# This lesson is read-only or reuses a named demo identity.
aws sts get-caller-identity

Keep shared demo identities only while following the IAM sequence. Part 125 removes them in dependency order.

Next, we will learn List IAM users in an AWS account.

Official AWS CLI reference