Quick way to get AWS Account number from the AWS CLI tools?

amazon-web-services aws-cli amazon-iam aws-sts
56,085

Solution 1

You can get the account number from the Secure Token Service subcommand get-caller-identity using the following:

aws sts get-caller-identity --query Account --output text

Solution 2

From my related answer for the AWS PowerShell CLI, your Account ID is a part of the Arn of resources that you create... and those that are automatically created for you. Some resources will also list you as an OwnerId.

The Default Security Group is automatically created for you in each region's default VPC as a reserved security group. From the documentation:

You can't delete a default security group. If you try to delete the EC2-Classic default security group, you'll get the following error: Client.InvalidGroup.Reserved: The security group 'default' is reserved. If you try to delete a VPC default security group, you'll get the following error: Client.CannotDelete: the specified group: "sg-51530134" name: "default" cannot be deleted by a user.

This makes it a reliable candidate for retrieving our account Id, as long as you are in EC2 classic or have a default VPC (*see edge cases if you don't).

Example:

aws ec2 describe-security-groups \
    --group-names 'Default' \
    --query 'SecurityGroups[0].OwnerId' \
    --output text

This uses --query to filter the output down to the "owner ID" for the first result from this request, and then uses --output to output your account ID as plaintext:

123456781234

Edge cases:

(Thanks @kenchew) Note that if you've deleted your default VPC in a given region, this security group no longer exists and you should use one of these alternative solutions:

Further reading:

Solution 3

If you are running on a server that is running with an assumed role you can't call aws sts get-caller-identity. Also, with describe-security-groups you can't always use the --group-names filter (it doesn't work if you don't have a default VPC), so just pick the first security group. I've found this to be the most reliable regardless of what sort of authentication you use or what sort of VPC you have.

aws ec2 describe-security-groups --query 'SecurityGroups[0].OwnerId' --output text

Solution 4

My favorite method is to use aws iam get-user [--profile <profile>] since you only need IAM self service role for this to work.

Share:
56,085
ehime
Author by

ehime

Meanwhile in the Deep Darkness...

Updated on October 20, 2020

Comments

  • ehime
    ehime over 3 years

    Looking for a quick way to pull my account number, I had originally thought of using aws iam get-account-authorization-details --max-items 1 but there are several issues with doing it this way. Is there a way to do this that might not cross account origins?

  • Justin
    Justin over 7 years
    This should be a much more reliable than security groups since you can delete the default security group.
  • BMW
    BMW over 6 years
    shorter command if feed to jq aws sts get-caller-identity|jq -r ".Account"
  • Asim
    Asim over 6 years
    needed to store in a variable but was getting an extra line, this would be better for that aws sts get-caller-identity --output json | jq '.Account' | sed 's/\"//g'
  • coliveira
    coliveira over 5 years
    For me, it works when I remove the --query 'Account' part.
  • Sanoob
    Sanoob over 5 years
    Note that, It doesn't work when you use AssumedRole
  • ehime
    ehime about 5 years
    @BMW You unfortunately can't always rely on jq being involved or installed on a system. Some servers ban extraneous package installs due to security. You could do something like this aws sts get-caller-identity --output json |grep Account |awk -F ': "' '{print$2}' |sed 's/\".*//' but its a little annoying and you might as well do the --query 'Account' --output text at that point.
  • Arian
    Arian almost 5 years
    Agree with this. get-caller-identity always seems to return the Users Account, irrespective of the role they have assumed. If you want the assumed role you appear to need to use something like this still (2 years later ..)
  • jarmod
    jarmod over 4 years
    @coliveira If you remove --query Account then you will get 3 tab-separated values: account number, ARN, and user ID. You would then need to parse that result to get the account number. Better to use --query Account or pipe into jq -r '.Account'.
  • jarmod
    jarmod over 4 years
    @Asim instead of jq '.Account' | sed 's/\"//g', you can use jq -r '.Account' (-r for raw output).

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Unable to find .aws directory
How can I 'aws s3 sync' two buckets, which are located in different accounts
AWS CLI listing S3 buckets gives SignatureDoesNotMatch error using IAM user credentials
How can I resolve the error "The security token included in the request is invalid" when running aws iam upload-server-certificate?
AWS create role - Has prohibited field
AWS Console Session Timeout
AWS sts assume role in one command
clone AWS codecommit repo via HTTP
Invoke an AWS lambda across regions
How do I get AWS cross-account KMS keys to work?