Get AWS Account ID from instance

Question

We have a requirement where we need to validate the AWS accountID from our code running on EC2 instance. One way I found is to get this information from AWS metadata IP at this URL:

http://169.254.169.254/latest/dynamic/instance-identity/document

but what if I dont have access to internet. Is it saved and retrievable from Instance without pinging any outside URL.

Answer 1

but what if I dont have access to internet. Is it saved and retrievable from Instance without pinging any outside URL.

This is not an outside IP, this IP is the local metadata service for your ec2 instance. It's not going through the internet. It's perfectly acceptable to use this to retrieve the account id, in fact amazon provides you with everything you need to retrieve this kind of information from an instance using their various SDK's.

The alternative solution, as quasar pointed out is to use aws sts get-caller-identity, however this will require permissions on the instance role to work.

Answer 2

You will be able to access that URL even if your instance does not have internet access. Another way you can get the id is by using the aws cli. The get-caller-identity command returns the account, userid and the ARN. You will want to make sure you EC2 instance has permissions to call this.

aws sts get-caller-identity

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:GetCallerIdentity", "Resource": "*" } ] }