Reputation: 15
Get IAM userId from userArn
I have a usecase where there are multiple aws accounts sending message to my sqs queue and I want to uniquely identify who sent what. In the SQS message, I see a Sender Account ID which is the userId for the IAM user/role who sent the message.
Is there a way I can convert this userId to userArn so that I can identify, which account the message came from. The only API I see is GetUser but it expects authorizartion credentials. I don't want to use the userId as it'll increase the operation overhead on my end to figure out all the userId of all the users/roles Arns who have permission to send message.
<User>
<UserId>AIDACKCEVSQ6C2EXAMPLE</UserId>
<Path>/division_abc/subdivision_xyz/</Path>
<UserName>Bob</UserName>
<Arn>arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob</Arn>
<CreateDate>2013-10-02T17:01:44Z</CreateDate>
<PasswordLastUsed>2014-10-10T14:37:51Z</PasswordLastUsed>
</User>
This userId is a non read friendly unique identifier present for every user/role. What I want to achieve is the userArn by passing the userId. This documentation provides info about userId.
On a more theoretical note, if I can't get the userArn from userId publically without user credentials, what can be the reasoning behind not providing it.
If we look at one of the responses of getUser API, it looks something like this -
Upvotes: 0
Views: 1064
Answers (1)
Reputation: 269500
AWS doesn't really provide details of "who" does things in an AWS Account. If a user has sufficient permissions to execute an API call (eg SendMessage() to send a message to an SNS queue), it is the AWS Account that actually sends the message, not the individual user.
The same goes for objects stored on Amazon S3 (there is no 'user' who owns the object), and Amazon EC2 instances (there is no "owner" of the instance).
The one place where you can identify who does things is in AWS CloudTrail, which provides an audit trail of API calls. It will show each API call, with a timestamp and details of the user who made the request.
In your SQS Message, Sender Account ID is the ID of the AWS Account that was used by the sender. It is not an ID of that particular user (just the AWS Account they used).
Upvotes: 2
Related Questions
- From AWS SDK, how to I get the current logged in username (or IAM user)?
- AWS: Find IAM user creator
- Find out which IAM user created a given resource
- How to know user created in AWS has what access
- Get the UserID for an IAM user programatically using Boto3
- Getting AWS IAM user by access key id using sdk
- How can i get userId of aws account?
- why I have no IAM user with my current logged user in AWS?
- What is the IAM User Attributes?
- Programmatically determine AWS account Id of a particular IAM user