Last active
November 9, 2022 16:40
-
-
Save gene1wood/6d4974b7503336d642c9 to your computer and use it in GitHub Desktop.
Method to determine your AWS account ID using boto3 for either a user or an ec2 instance or lambda function
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import boto3 | |
print(boto3.client('sts').get_caller_identity()['Account']) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
aws sts get-caller-identity --query 'Account' --output text |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This method is no longer needed with the release of the STS GetCallerIdentity method | |
def get_account_id(context): | |
return context.invoked_function_arn.split(':')[4] | |
def lambda_handler(event, context): | |
print("My account ID is %s" % get_account_id(context)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This method is no longer needed with the release of the STS GetCallerIdentity method | |
from botocore.vendored import requests | |
import boto3 | |
def get_account_id(): | |
try: | |
# We're running in an ec2 instance, get the account id from the | |
# instance profile ARN | |
return requests.get( | |
'http://169.254.169.254/latest/meta-data/iam/info/', | |
timeout=1).json()['InstanceProfileArn'].split(':')[4] | |
except: | |
pass | |
try: | |
# We're not on an ec2 instance but have api keys, get the account | |
# id from the user ARN | |
return boto3.client('iam').get_user()['User']['Arn'].split(':')[4] | |
except: | |
pass | |
return False |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This method is no longer needed with the release of the STS GetCallerIdentity method | |
import urllib2, json | |
import boto3 | |
def get_account_id(): | |
try: | |
# We're running in an ec2 instance, get the account id from the | |
# instance profile ARN | |
return json.loads(urllib2.urlopen( | |
'http://169.254.169.254/latest/meta-data/iam/info/', | |
None, | |
1).read())['InstanceProfileArn'].split(':')[4] | |
except: | |
pass | |
try: | |
# We're not on an ec2 instance but have api keys, get the account | |
# id from the user ARN | |
return boto3.client('iam').get_user()['User']['Arn'].split(':')[4] | |
except: | |
pass | |
return False |
With the release of the new STS GetCallerIdentity method, there's no more need for different processes for users, ec2 instances, roles and lambda. It can all now be done with the example above
import boto3 print(boto3.client('sts').get_caller_identity()['Account'])
This doesn't seem to work now.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I was trying to figure out how to get the account number when I assumed a role to access resources in a second account. In this case the get_user() fails: "An error occurred (ValidationError) when calling the GetUser operation: Must specify userName when calling with non-User credentials"
I found that users list_users works cross accounts as long as there is at least one user account created:
account = assumed_session.client('iam').list_users(MaxItems=1)["Users"][0]["Arn"].split(':')[4]