How to test credentials for AWS Command Line Tools

Amazon Web-ServicesAws Cli

Amazon Web-Services Problem Overview

Is there a command/subcommand that can be passed to the aws utility that can 1) verify that the credentials in the ~/.aws/credentials file are valid, and 2) give some indication which user the credentials belong to? I'm looking for something generic that doesn't make any assumptions about the user having permissions to IAM or any specific service.

The use case for this is a deploy-time sanity check to make sure that the credentials are good. Ideally there would be some way to check the return value and abort the deploy if there are invalid credentials.

Amazon Web-Services Solutions

Solution 1 - Amazon Web-Services

Use GetCallerIdentity:
aws sts get-caller-identity

Unlike other API/CLI calls it will always work, regardless of your IAM permissions.

You will get output in the following format:

{
    "Account": "123456789012", 
    "UserId": "AR#####:#####", 
    "Arn": "arn:aws:sts::123456789012:assumed-role/role-name/role-session-name"
}

Exact ARN format will depend on the type of credentials, but often includes the name of the (human) user.

It uses the standard AWS CLI error codes giving 0 on success and 255 if you have no credentials.

Solution 2 - Amazon Web-Services

There is a straightforward way - aws iam get-user would tell the details about who you are (the current IAM User) - provided the user has iam privileges.

There are couple of CLI calls which support --dry-run flag like aws ec2 run-instances which you tell you whether you have necessary config / cred to perform the operation.

There is also --auth-dry-run which Checks whether you have the required permissions for the command, without actually running the command. If you have the required permissions, the command returns DryRunOperation; otherwise, it returns UnauthorizedOperation. [ From AWS Documentation - Common Options ]

You would be able to list the IAM Access Keys from Management Console which you can cross check to see who has been assigned which key.

The best way to understand which user / role has what privileges is make use of IAM Policy Simulator.

Solution 3 - Amazon Web-Services

If you have your profile-name along with access-key and secret-key configured into .credentails file you can run the following command to check for its validity

aws sts get-caller-identity --profile <your-profile-name>

If everything is okay, it'll return output like the following

{
    "UserId": <Your user id>,
    "Account": <your account number>,
    "Arn": <your arn output>
}
Categories
Recommended Amazon Web-Services Solutions
Recommended Aws Cli Solutions

Previous Solution:

What does the ELIFECYCLE Node.js error mean?

node.js

Next Solution:

How to disable Diagnostic Tools?

C#Visual StudioVisual Studio-2015

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionsmitelliView Question on Stackoverflow
Solution 1 - Amazon Web-ServicesJasonView Answer on Stackoverflow
Solution 2 - Amazon Web-ServicesNaveen VijayView Answer on Stackoverflow
Solution 3 - Amazon Web-ServicesSubhamView Answer on Stackoverflow