Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I deduce the AWS Account ID from available BasicAWSCredentials?

Update

AWS has just silently addressed this long standing gap by introducing the dedicated STS API action GetCallerIdentity, which returns details about the IAM identity whose credentials are used to call the API, including the AWS Account ID - there are a few sample responses, e.g.:

<GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <GetCallerIdentityResult>
   <Arn>arn:aws:iam::123456789012:user/Alice</Arn>
    <UserId>AKIAI44QH8DHBEXAMPLE</UserId>
    <Account>123456789012</Account>
  </GetCallerIdentityResult>
  <ResponseMetadata>
    <RequestId>01234567-89ab-cdef-0123-456789abcdef</RequestId>
  </ResponseMetadata>
</GetCallerIdentityResponse>

You can use the AWS Command Line Interface to obtain just the account ID, here's an example:

$ aws sts get-caller-identity --output text --query Account
121371349383

Initial Answer

This is at least indirectly possible via AWS Identity and Access Management (IAM) by means of the GetUser action (available via getUser() in the AWS SDK for Java):

Retrieves information about the specified user, including the user's path, GUID, and ARN.

If you do not specify a user name, IAM determines the user name implicitly based on the AWS Access Key ID signing the request.

The returned User data type (Class User) contains an Arn element (getArn()), which is the Amazon Resource Name (ARN) specifying the user. This is further detaild in Identifiers for IAM Entities, specifically in section ARNs, which describes the format of the User Resource Type:

arn:aws:iam::{account_ID}:user/{path/to/user/UserName}

Example: arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob

This is an old question, but for the poor souls out there - The answer based on ARN is the most correct answer that we found. There's also an OwnerId field when calling DescribeInstances, but there may be no instances ..

However the reality is a bit more complex. Sometimes the IAM user does not have the permission to issue getUser(), and then he gets AmazonServiceException with

getErrorCode() = "AccessDenied"

In this case, the ARN is a part of the AWS error message:

User: arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob is not authorized to perform: 
iam:GetUser on resource: arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob

So here the matters are even worse: we need to parse a free text error message and then extract the account number:

try {
    ... iam.getUser(); ...
} catch (AmazonServiceException e) {
    if (e.getErrorCode().compareTo("AccessDenied") == 0) {
        String arn = null;
        String msg = e.getMessage();
        // User: arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob is not authorized to perform: iam:GetUser on resource: arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob
        int arnIdx = msg.indexOf("arn:aws");
        if (arnIdx != -1) {
            int arnSpace = msg.indexOf(" ", arnIdx);
            arn = msg.substring(arnIdx, arnSpace);
        }
        System.out.println("ARN: " + arn);
}

If you have the AWS CLI tools, you can:

aws iam get-user | awk '/arn:aws:/{print $2}'

Here's the code to get the newer STS getCallerIdentity stuff working (in Java):

private String getAccountIDUsingAccessKey(String accessKey, String secretKey) {
    AWSSecurityTokenService stsService = AWSSecurityTokenServiceClientBuilder.standard().withCredentials(
            new AWSStaticCredentialsProvider(new BasicAWSCredentials(accessKey, secretKey))).build();

    GetCallerIdentityResult callerIdentity = stsService.getCallerIdentity(new GetCallerIdentityRequest());
    return callerIdentity.getAccount();
}

Props to @SteffenOpel for giving the clues needed, of course.


With the latest API there's a direct way of finding the user ID:

BasicAWSCredentials basicAWSCredentials = new BasicAWSCredentials("your access key", "your secret key");
AmazonIdentityManagementClient iamClient = new AmazonIdentityManagementClient(basicAWSCredentials);
String userId = iamClient.getUser().getUser().getUserId();

Adding this here, because it's the top SO result for "find aws account number", and because it's bad practice to use keys instead of IAM Roles for deployed apps anyway...

If you're running from an AWS instance that has an IAM Role on it, you can do curl -s http://169.254.169.254/latest/meta-data/iam/info and get the ARN of the instance's role from the InstanceProfileArn key of the results, without having to worry about trying to parse an exception message or granting IAM permissions to an instance that doesn't need them.

Then, you just have to parse the ARN for the account number.