How can I deduce the AWS Account ID from available BasicAWSCredentials?

Update

AWS has just silently addressed this long standing gap by introducing the dedicated STS API action GetCallerIdentity, which returns details about the IAM identity whose credentials are used to call the API, including the AWS Account ID - there are a few sample responses, e.g.:

<GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">  <GetCallerIdentityResult>   <Arn>arn:aws:iam::123456789012:user/Alice</Arn>    <UserId>AKIAI44QH8DHBEXAMPLE</UserId>    <Account>123456789012</Account>  </GetCallerIdentityResult>  <ResponseMetadata>    <RequestId>01234567-89ab-cdef-0123-456789abcdef</RequestId>  </ResponseMetadata></GetCallerIdentityResponse>

You can use the AWS Command Line Interface to obtain just the account ID, here's an example:

$ aws sts get-caller-identity --output text --query Account121371349383

Initial Answer

This is at least indirectly possible via AWS Identity and Access Management (IAM) by means of the GetUser action (available via getUser() in the AWS SDK for Java):

Retrieves information about the specified user, including the user's path, GUID, and ARN.

If you do not specify a user name, IAM determines the user name implicitly based on the AWS Access Key ID signing the request.

The returned User data type (Class User) contains an Arn element (getArn()), which is the Amazon Resource Name (ARN) specifying the user. This is further detaild in Identifiers for IAM Entities, specifically in section ARNs, which describes the format of the User Resource Type:

arn:aws:iam::{account_ID}:user/{path/to/user/UserName}Example: arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob

This is an old question, but for the poor souls out there -The answer based on ARN is the most correct answer that we found. There's also an OwnerId field when calling DescribeInstances, but there may be no instances ..

However the reality is a bit more complex. Sometimes the IAM user does not have the permission to issue getUser(), and then he gets AmazonServiceException with

getErrorCode() = "AccessDenied"

In this case, the ARN is a part of the AWS error message:

User: arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob is not authorized to perform: iam:GetUser on resource: arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob

So here the matters are even worse: we need to parse a free text error message and then extract the account number:

try {    ... iam.getUser(); ...} catch (AmazonServiceException e) {    if (e.getErrorCode().compareTo("AccessDenied") == 0) {        String arn = null;        String msg = e.getMessage();        // User: arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob is not authorized to perform: iam:GetUser on resource: arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob        int arnIdx = msg.indexOf("arn:aws");        if (arnIdx != -1) {            int arnSpace = msg.indexOf(" ", arnIdx);            arn = msg.substring(arnIdx, arnSpace);        }        System.out.println("ARN: " + arn);}

If you have the AWS CLI tools, you can:

aws iam get-user | awk '/arn:aws:/{print $2}'