How to test credentials for AWS Command Line Tools

201
votes

Is there a command/subcommand that can be passed to the aws utility that can 1) verify that the credentials in the ~/.aws/credentials file are valid, and 2) give some indication which user the credentials belong to? I'm looking for something generic that doesn't make any assumptions about the user having permissions to IAM or any specific service.

The use case for this is a deploy-time sanity check to make sure that the credentials are good. Ideally there would be some way to check the return value and abort the deploy if there are invalid credentials.

2
amazon-web-servicesaws-cli
Might I suggest that this would be better asked at serverfault.com? Stack Overflow is specifically for programming questions.Tripp Kinetics
@TrippKinetics Yeah, I was on the fence about where to ask. In my mind, the meat of the question was more about programmatically querying an API rather than managing servers per se.smitelli

2 Answers

303
votes

Use GetCallerIdentity:
aws sts get-caller-identity

Unlike other API/CLI calls it will always work, regardless of your IAM permissions.

You will get output in the following format:

{
    "Account": "123456789012", 
    "UserId": "AR#####:#####", 
    "Arn": "arn:aws:sts::123456789012:assumed-role/role-name/role-session-name"
}

Exact ARN format will depend on the type of credentials, but often includes the name of the (human) user.

It uses the standard AWS CLI error codes giving 0 on success and 255 if you have no credentials.

74
votes

There is a straightforward way - aws iam get-user would tell the details about who you are (the current IAM User) - provided the user has iam privileges.

There are couple of CLI calls which support --dry-run flag like aws ec2 run-instances which you tell you whether you have necessary config / cred to perform the operation.

There is also --auth-dry-run which Checks whether you have the required permissions for the command, without actually running the command. If you have the required permissions, the command returns DryRunOperation; otherwise, it returns UnauthorizedOperation. [ From AWS Documentation - Common Options ]

You would be able to list the IAM Access Keys from Management Console which you can cross check to see who has been assigned which key.

The best way to understand which user / role has what privileges is make use of IAM Policy Simulator.