GetCallerIdentity - AWS Security Token Service
Response ElementsErrorsExamplesSee Also

GetCallerIdentity

Returns details about the IAM user or role whose credentials are used to call the operation.

Note

No permissions are required to perform this operation. If an administrator attaches a policy to your identity that explicitly denies access to the sts:GetCallerIdentity action, you can still perform this operation. Permissions are not required because the same information is returned when access is denied. To view an example response, see I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice in the IAM User Guide.

Response Elements

The following elements are returned by the service.

Account

The AWS account ID number of the account that owns or contains the calling entity.

Type: String

Arn

The AWS ARN associated with the calling entity.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 2048.

Pattern: [\u0009\u000A\u000D\u0020-\u007E\u0085\u00A0-\uD7FF\uE000-\uFFFD\u10000-\u10FFFF]+

UserId

The unique identifier of the calling entity. The exact value depends on the type of entity that is making the call. The values returned are those listed in the aws:userid column in the Principal table found on the Policy Variables reference page in the IAM User Guide.

Type: String

Errors

For information about the errors that are common to all actions, see Common Errors.

Examples

Example 1 - Called by an IAM user

This example shows a request and response made with the credentials for a user named Alice in the AWS account 123456789012.

Sample Request

POST / HTTP/1.1 Host: sts.amazonaws.com Accept-Encoding: identity Content-Length: 32 Content-Type: application/x-www-form-urlencoded Authorization: AWS4-HMAC-SHA256 Credential=AKIAI44QH8DHBEXAMPLE/20160126/us-east-1/sts/aws4_request, SignedHeaders=host;user-agent;x-amz-date, Signature=1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef X-Amz-Date: 20160126T215751Z User-Agent: aws-cli/1.10.0 Python/2.7.3 Linux/3.13.0-76-generic botocore/1.3.22 Action=GetCallerIdentity&Version=2011-06-15

Sample Response

HTTP/1.1 200 OK x-amzn-RequestId: 01234567-89ab-cdef-0123-456789abcdef Content-Type: text/xml Content-Length: 357 Date: Tue, 26 Jan 2016 21:57:47 GMT <GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"> <GetCallerIdentityResult> <Arn>arn:aws:iam::123456789012:user/Alice</Arn> <UserId>AIDACKCEVSQ6C2EXAMPLE</UserId> <Account>123456789012</Account> </GetCallerIdentityResult> <ResponseMetadata> <RequestId>01234567-89ab-cdef-0123-456789abcdef</RequestId> </ResponseMetadata> </GetCallerIdentityResponse>

Example 2 - Called by user created with AssumeRole

This example shows a request and response made with temporary credentials created by AssumeRole. The name of the assumed role is my-role-name, and the RoleSessionName is set to my-role-session-name.

Sample Request

 POST / HTTP/1.1 Host: sts.amazonaws.com Accept-Encoding: identity Content-Length: 43 X-Amz-Date: 20160301T213302Z User-Agent: aws-cli/1.10.0 Python/2.7.3 Linux/3.13.0-79-generic botocore/1.3.22 X-Amz-Security-Token:<REDACTED> Content-Type: application/x-www-form-urlencoded Authorization: AWS4-HMAC-SHA256 Credential=AKIAI44QH8DHBEXAMPLE/20160301/us-east-1/sts/aws4_request, SignedHeaders=host;user-agent;x-amz-date;x-amz-security-token, Signature=1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef Action=GetCallerIdentity&Version=2011-06-15

Sample Response

HTTP/1.1 200 OK x-amzn-RequestId: 01234567-89ab-cdef-0123-456789abcdef Content-Type: text/xml Content-Length: 438 Date: Tue, 01 Mar 2016 21:32:59 GMT <GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"> <GetCallerIdentityResult> <Arn>arn:aws:sts::123456789012:assumed-role/my-role-name/my-role-session-name</Arn> <UserId>ARO123EXAMPLE123:my-role-session-name</UserId> <Account>123456789012</Account> </GetCallerIdentityResult> <ResponseMetadata> <RequestId>01234567-89ab-cdef-0123-456789abcdef</RequestId> </ResponseMetadata> </GetCallerIdentityResponse>

Example 3 - Called by user created with GetFederationToken

This example shows a request and response made with temporary credentials created by using GetFederationToken. The Name parameter is set to my-federated-user-name.

Sample Request

POST / HTTP/1.1 Host: sts.amazonaws.com Accept-Encoding: identity Content-Length: 43 X-Amz-Date: 20160301T215108Z User-Agent: aws-cli/1.10.0 Python/2.7.3 Linux/3.13.0-79-generic botocore/1.3.22 X-Amz-Security-Token:<REDACTED> Content-Type: application/x-www-form-urlencoded Authorization: AWS4-HMAC-SHA256 Credential=AKIAI44QH8DHBEXAMPLE/20160301/us-east-1/sts/aws4_request, SignedHeaders=host;user-agent;x-amz-date;x-amz-security-token, Signature=1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef Action=GetCallerIdentity&Version=2011-06-15

Sample Response

HTTP/1.1 200 OK x-amzn-RequestId: 01234567-89ab-cdef-0123-456789abcdef Content-Type: text/xml Content-Length: 437 Date: Tue, 01 Mar 2016 21:51:06 GMT <GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"> <GetCallerIdentityResult> <Arn>arn:aws:sts::123456789012:federated-user/my-federated-user-name</Arn> <UserId>123456789012:my-federated-user-name</UserId> <Account>123456789012</Account> </GetCallerIdentityResult> <ResponseMetadata> <RequestId>01234567-89ab-cdef-0123-456789abcdef</RequestId> </ResponseMetadata> </GetCallerIdentityResponse>

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: