Skip to content
Latchkey

aws sts get-caller-identity: Verify AWS Auth in CI

Print the AWS account, user ID, and ARN of whoever the current credentials belong to.

aws sts get-caller-identity is the AWS equivalent of "whoami": it returns the Account, UserId, and Arn for the active credentials. In CI it is the quickest sanity check that an OIDC role was assumed and you are acting against the intended account before any deploy.

Common flags

  • --query Arn - extract just the ARN with JMESPath
  • --output text - emit plain text for easy shell capture
  • --profile NAME - check a specific profile

Example in CI

Fail fast if the wrong account is in scope after assuming an OIDC role.

shell
aws sts get-caller-identity --query Account --output text

Common errors in CI

  • Unable to locate credentials - OIDC role was not assumed; check the configure-aws-credentials step
  • The security token included in the request is invalid - expired or malformed session token
  • An error occurred (ExpiredToken) - the assumed-role session has expired; re-assume the role

Key takeaways

  • get-caller-identity confirms which account and identity your credentials map to.
  • Run it right after OIDC role assumption to fail fast on misconfigured auth.
  • Use --query and --output text to capture the account ID into a CI variable.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →