Checking the active caller identity in AWS CLI prevents commands from running against the wrong AWS account, role session, or federated login. The check matters before deployments, infrastructure changes, policy edits, or any automation run where one stale shell context can send signed requests to the wrong environment.

The STS get-caller-identity operation returns the identity tied to the credentials that the CLI actually used for the request. The response exposes UserId, Account, and Arn, which together show which account owns the credentials and whether the caller is an IAM user, an assumed role session, or another temporary principal.

The resolved identity can come from the default profile, an explicit --profile flag, exported credential variables, a credential_process helper, or a cached IAM Identity Center login. When the result needs to be repeatable in scripts or change windows, keep the credential source explicit and treat an expired SSO session or leftover shell variables as the first suspects when the returned identity looks wrong.

Related: How to configure multiple AWS CLI profiles
Related: How to configure credential_process in AWS CLI
Related: How to use environment variables in AWS CLI

Steps to check the current caller identity in AWS CLI:

  1. Run the STS identity call with the credentials currently active in the shell. 
    $ aws sts get-caller-identity
{
    "UserId": "AIDASAMPLEUSERID",
    "Account": "123456789012",
    "Arn": "arn:aws:iam::123456789012:user/PlatformOperator"
}

    AWS documents get-caller-identity as returning caller details even when sts:GetCallerIdentity is explicitly denied, but the CLI still needs valid credentials so it can sign the request.

  2. Read Account and Arn first to confirm both the target account and the principal type before continuing. 
    "Account": "123456789012"
"Arn": "arn:aws:iam::123456789012:user/PlatformOperator"

    arn:aws:iam::...:user/... indicates a long-lived IAM user, while arn:aws:sts::...:assumed-role/.../... indicates temporary role credentials with a session name.

  3. Check a named profile explicitly when the shell default is not trusted for the next command. 
    $ aws sts get-caller-identity --profile operations-admin
{
    "UserId": "AROAEXAMPLEID:cli-session",
    "Account": "210987654321",
    "Arn": "arn:aws:sts::210987654321:assumed-role/OperationsAdmin/cli-session"
}

    An explicit --profile overrides AWS_PROFILE or the default profile selection for that one command.

    Related: How to switch AWS CLI profiles

  4. Refresh the sign-in session first when the profile uses IAM Identity Center and the cached token has expired. 
    $ aws sso login --profile identity-center-admin
Attempting to automatically open the SSO authorization page in your default browser.
Successfully logged into Start URL: https://example.awsapps.com/start

$ aws sts get-caller-identity --profile identity-center-admin
{
    "UserId": "AROAEXAMPLEID:identity-center-admin",
    "Account": "123456789012",
    "Arn": "arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_AdministratorAccess_1234567890abcdef/identity-center-admin"
}

    aws sso login refreshes the cached IAM Identity Center access token for the requested profile before the next signed CLI call.

    Related: How to log in to AWS CLI with IAM Identity Center

  5. Return only the account ID when a script or a preflight check needs a stable single-line result. 
    $ aws sts get-caller-identity --profile operations-admin --query Account --output text
210987654321

    The combination of --profile, --query Account, and --output text is useful for deployment guards, CI checks, and shell prompts.

  6. Return only the ARN when the exact user, role, or role session name must be confirmed before continuing. 
    $ aws sts get-caller-identity --profile operations-admin --query Arn --output text
arn:aws:sts::210987654321:assumed-role/OperationsAdmin/cli-session

    Related: How to use JMESPath queries in AWS CLI
    Related: How to set the default output format in AWS CLI

  7. Inspect the resolved configuration when the returned identity is unexpected or changes between shells. 
    $ aws configure list --profile operations-admin
NAME       : VALUE                    : TYPE             : LOCATION
profile    : operations-admin         : manual           : --profile
access_key : ****************ABCD     : shared-credentials-file :
secret_key : ****************WXYZ     : shared-credentials-file :
region     : us-east-1                : config-file      : ~/.aws/config

    Exported variables such as AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN override file-backed credentials, while a configured credential_process can supply a different identity than the shared files suggest.