aws sts get-caller-identity: Verify AWS Auth in CI
Print the AWS account, user ID, and ARN of whoever the current credentials belong to.
aws sts get-caller-identity is the AWS equivalent of "whoami": it returns the Account, UserId, and Arn for the active credentials. In CI it is the quickest sanity check that an OIDC role was assumed and you are acting against the intended account before any deploy.
Common flags
--query Arn- extract just the ARN with JMESPath--output text- emit plain text for easy shell capture--profile NAME- check a specific profile
Example in CI
Fail fast if the wrong account is in scope after assuming an OIDC role.
shell
aws sts get-caller-identity --query Account --output textCommon errors in CI
- Unable to locate credentials - OIDC role was not assumed; check the configure-aws-credentials step
- The security token included in the request is invalid - expired or malformed session token
- An error occurred (ExpiredToken) - the assumed-role session has expired; re-assume the role
Key takeaways
- get-caller-identity confirms which account and identity your credentials map to.
- Run it right after OIDC role assumption to fail fast on misconfigured auth.
- Use --query and --output text to capture the account ID into a CI variable.
Related guides
aws configure: Set Credentials and Region in CIaws configure sets AWS CLI credentials, region, and profiles. Learn the flags, a CI example, and why pipeline…
aws sts assume-role: Assume an IAM Role in CIaws sts assume-role returns temporary credentials for a target role, enabling cross-account deploys. Learn th…
aws iam create-role: Create an IAM Role for CIaws iam create-role creates an IAM role with a trust policy - including the OIDC trust used by GitHub Actions…