GetCallerIdentity
Returns details about the IAM user or role whose credentials are used to call the operation.
Note
No permissions are required to perform this operation. If an administrator attaches a
policy to your identity that explicitly denies access to the
sts:GetCallerIdentity
action, you can still perform this operation.
Permissions are not required because the same information is returned when access is
denied. To view an example response, see I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice in the
IAM User Guide.
Response Elements
The following elements are returned by the service.
- Account
-
The AWS account ID number of the account that owns or contains the calling entity.
Type: String
- Arn
-
The AWS ARN associated with the calling entity.
Type: String
Length Constraints: Minimum length of 20. Maximum length of 2048.
Pattern:
[\u0009\u000A\u000D\u0020-\u007E\u0085\u00A0-\uD7FF\uE000-\uFFFD\u10000-\u10FFFF]+
- UserId
-
The unique identifier of the calling entity. The exact value depends on the type of entity that is making the call. The values returned are those listed in the aws:userid column in the Principal table found on the Policy Variables reference page in the IAM User Guide.
Type: String
Errors
For information about the errors that are common to all actions, see Common Errors.
Examples
Example 1 - Called by an IAM user
This example shows a request and response made with the credentials for a user named Alice in the AWS account 123456789012.
Sample Request
POST / HTTP/1.1
Host: sts.amazonaws.com
Accept-Encoding: identity
Content-Length: 32
Content-Type: application/x-www-form-urlencoded
Authorization: AWS4-HMAC-SHA256 Credential=AKIAI44QH8DHBEXAMPLE/20160126/us-east-1/sts/aws4_request,
SignedHeaders=host;user-agent;x-amz-date,
Signature=1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
X-Amz-Date: 20160126T215751Z
User-Agent: aws-cli/1.10.0 Python/2.7.3 Linux/3.13.0-76-generic botocore/1.3.22
Action=GetCallerIdentity&Version=2011-06-15
Sample Response
HTTP/1.1 200 OK
x-amzn-RequestId: 01234567-89ab-cdef-0123-456789abcdef
Content-Type: text/xml
Content-Length: 357
Date: Tue, 26 Jan 2016 21:57:47 GMT
<GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<GetCallerIdentityResult>
<Arn>arn:aws:iam::123456789012:user/Alice</Arn>
<UserId>AIDACKCEVSQ6C2EXAMPLE</UserId>
<Account>123456789012</Account>
</GetCallerIdentityResult>
<ResponseMetadata>
<RequestId>01234567-89ab-cdef-0123-456789abcdef</RequestId>
</ResponseMetadata>
</GetCallerIdentityResponse>
Example 2 - Called by user created with AssumeRole
This example shows a request and response made with temporary credentials created
by AssumeRole
. The name of the assumed role is
my-role-name
, and the RoleSessionName
is set to
my-role-session-name
.
Sample Request
POST / HTTP/1.1
Host: sts.amazonaws.com
Accept-Encoding: identity
Content-Length: 43
X-Amz-Date: 20160301T213302Z
User-Agent: aws-cli/1.10.0 Python/2.7.3 Linux/3.13.0-79-generic botocore/1.3.22
X-Amz-Security-Token:<REDACTED>
Content-Type: application/x-www-form-urlencoded
Authorization: AWS4-HMAC-SHA256 Credential=AKIAI44QH8DHBEXAMPLE/20160301/us-east-1/sts/aws4_request,
SignedHeaders=host;user-agent;x-amz-date;x-amz-security-token,
Signature=1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
Action=GetCallerIdentity&Version=2011-06-15
Sample Response
HTTP/1.1 200 OK
x-amzn-RequestId: 01234567-89ab-cdef-0123-456789abcdef
Content-Type: text/xml
Content-Length: 438
Date: Tue, 01 Mar 2016 21:32:59 GMT
<GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<GetCallerIdentityResult>
<Arn>arn:aws:sts::123456789012:assumed-role/my-role-name/my-role-session-name</Arn>
<UserId>ARO123EXAMPLE123:my-role-session-name</UserId>
<Account>123456789012</Account>
</GetCallerIdentityResult>
<ResponseMetadata>
<RequestId>01234567-89ab-cdef-0123-456789abcdef</RequestId>
</ResponseMetadata>
</GetCallerIdentityResponse>
Example 3 - Called by user created with GetFederationToken
This example shows a request and response made with temporary credentials created
by using GetFederationToken
. The Name
parameter is set to
my-federated-user-name
.
Sample Request
POST / HTTP/1.1
Host: sts.amazonaws.com
Accept-Encoding: identity
Content-Length: 43
X-Amz-Date: 20160301T215108Z
User-Agent: aws-cli/1.10.0 Python/2.7.3 Linux/3.13.0-79-generic botocore/1.3.22
X-Amz-Security-Token:<REDACTED>
Content-Type: application/x-www-form-urlencoded
Authorization: AWS4-HMAC-SHA256 Credential=AKIAI44QH8DHBEXAMPLE/20160301/us-east-1/sts/aws4_request,
SignedHeaders=host;user-agent;x-amz-date;x-amz-security-token,
Signature=1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
Action=GetCallerIdentity&Version=2011-06-15
Sample Response
HTTP/1.1 200 OK
x-amzn-RequestId: 01234567-89ab-cdef-0123-456789abcdef
Content-Type: text/xml
Content-Length: 437
Date: Tue, 01 Mar 2016 21:51:06 GMT
<GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<GetCallerIdentityResult>
<Arn>arn:aws:sts::123456789012:federated-user/my-federated-user-name</Arn>
<UserId>123456789012:my-federated-user-name</UserId>
<Account>123456789012</Account>
</GetCallerIdentityResult>
<ResponseMetadata>
<RequestId>01234567-89ab-cdef-0123-456789abcdef</RequestId>
</ResponseMetadata>
</GetCallerIdentityResponse>
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: