How to test credentials for AWS Command Line Tools

amazon-web-services aws-cli
smitelli picture smitelli · Aug 5, 2015 · Viewed 75.9k times · Source

Is there a command/subcommand that can be passed to the aws utility that can 1) verify that the credentials in the ~/.aws/credentials file are valid, and 2) give some indication which user the credentials belong to? I'm looking for something generic that doesn't make any assumptions about the user having permissions to IAM or any specific service.

The use case for this is a deploy-time sanity check to make sure that the credentials are good. Ideally there would be some way to check the return value and abort the deploy if there are invalid credentials.

Answer

Jason picture Jason · Feb 15, 2017

Use GetCallerIdentity:
aws sts get-caller-identity

Unlike other API/CLI calls it will always work, regardless of your IAM permissions.

You will get output in the following format:

{
    "Account": "123456789012", 
    "UserId": "AR#####:#####", 
    "Arn": "arn:aws:sts::123456789012:assumed-role/role-name/role-session-name"
}

Exact ARN format will depend on the type of credentials, but often includes the name of the (human) user.

It uses the standard AWS CLI error codes giving 0 on success and 255 if you have no credentials.

Related questions

AWS CLI S3 A client error (403) occurred when calling the HeadObject operation: Forbidden

I'm trying to setup a Amazon Linux AMI(ami-f0091d91) and have a script that runs a copy command to copy from a S3 bucket. aws --debug s3 cp s3://aws-codedeploy-us-west-2/latest/codedeploy-agent.noarch.rpm . This script works perfectly on …

Read More
How can I resolve the error "The security token included in the request is invalid" when running aws iam upload-server-certificate?

I cd into the directory where all the pem/key files are and run the following: aws iam upload-server-certificate --server-certificate-name certificate_name --certificate-body file://webservercertificate.pem --private-key file://server.key --certificate-chain file://certificate_chain_file.pem I get the following …

Read More
The AWS Access Key Id does not exist in our records

I created a new Access Key and configured that in the AWS CLI with aws configure. It created the .ini file in ~/.aws/config. When I run aws s3 ls it gives: A client error (InvalidAccessKeyId) occurred when calling the …

Read More