Viewing account identifiers - AWS Account Management
Finding your AWS account IDFinding the canonical user ID for your AWS account

Viewing account identifiers

Important

The following AWS Identity and Access Management (IAM) actions will reach the end of standard support on July 2023: aws-portal:ModifyAccount and aws-portal:ViewAccount. See the Using fine-grained AWS Billing actions to replace these actions with fine-grained actions so you have access to AWS Billing, AWS Cost Management, and AWS accounts consoles.

If you created your AWS account or AWS Organizations Management account before March 6, 2023, the fine-grained actions will be effective starting July 2023. We recommend you to add the fine-grained actions, but not remove your existing permissions with aws-portal or purchase-orders prefixes.

If you created your AWS account or AWS Organizations Management account on or after March 6, 2023, the fine-grained actions are effective immediately.

AWS assigns the following unique identifiers to each AWS account:

AWS account ID

A 12-digit number, such as 123456789012, that uniquely identifies an AWS account. Many AWS resources include the account ID in their Amazon Resource Names (ARNs). The account ID portion distinguishes resources in one account from the resources in another account. If you're an AWS Identity and Access Management (IAM) user, you can sign in to the AWS Management Console using either the account ID or account alias.

Canonical user ID

An alpha-numeric identifier, such as 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be, that is an obfuscated form of the AWS account ID. You can use this ID to identify an AWS account when granting cross-account access to buckets and objects using Amazon Simple Storage Service (Amazon S3). You can retrieve the canonical user ID for your AWS account as either the root user or an IAM user.

You must be authenticated with AWS to view these identifiers.

Warning

Do not provide your AWS credentials (including passwords and access keys) to a third party that needs your AWS account identifiers to share AWS resources with you. Doing so would give them the same access to the AWS account that you have.

Finding your AWS account ID

You can find the AWS account ID using either the AWS Management Console or the AWS Command Line Interface (AWS CLI). In the console, the location of the account ID depends on whether you're signed in as the root user or an IAM user. The account ID is the same whether you're signed in as the root user or an IAM user.

Finding your account ID as the root user

AWS Management Console
To find your AWS account ID when signed in as the root user
Minimum permissions

To perform the following steps, you must have at least the following IAM permissions:

  • When you sign in as the root user, you don't need any IAM permissions.

  1. In the navigation bar on the upper right, choose your account name or number and then choose My Security Credentials.

  2. Expand the Account identifiers section. The account number appears next to the label AWS account ID.

AWS CLI & SDKs

To find your AWS account ID using the AWS CLI

Minimum permissions

To perform the following steps, you must have at least the following IAM permissions:

  • When you run the command as the root user, you don't need any IAM permissions.

Use the get-caller-identity command as follows.

$ aws sts get-caller-identity \
    --query Account \
    --output text
123456789012

Finding your account ID as an IAM user

AWS Management Console
To find your AWS account ID when signed in as an IAM user
Minimum permissions

To perform the following steps, you must have at least the following IAM permissions:

  • aws-portal:ViewAccount

  1. In the navigation bar on the upper right, choose your user name and then choose My Security Credentials.

    Tip

    If you don't see the My Security Credentials page, you might be signed in as a federated user with an IAM role, instead of as an IAM user. In this case, look for the entry My Account and the account ID number next to it.

  2. At the top of the page, under Account details, the account number appears next to the label AWS account ID.

AWS CLI & SDKs

To find your AWS account ID using the AWS CLI

Minimum permissions

To perform the following steps, you must have at least the following IAM permissions:

  • When you run the command as an IAM user or role, then you must have:

    • sts:GetCallerIdentity

Use the get-caller-identity command as follows.

$ aws sts get-caller-identity \
    --query Account \
    --output text
123456789012

Finding the canonical user ID for your AWS account

You can find the canonical user ID for your AWS account using the AWS Management Console or the AWS CLI. The canonical user ID for an AWS account is specific to that account. You can retrieve the canonical user ID for your AWS account as the root user, a federated user, or an IAM user.

Finding the canonical ID as the root user or IAM user

AWS Management Console
To find the canonical user ID for your account when signed in to the console as the root user or an IAM user
Minimum permissions

To perform the following steps, you must have at least the following IAM permissions:

  • When you run the command as the root user, you don't need any IAM permissions.

  • When you sign in as an IAM user, then you must have:

    • aws-portal:ViewAccount

  1. Sign in to the AWS Management Console as the root user or an IAM user.

  2. In the navigation bar on the upper right, choose your account name or number and then choose My Security Credentials.

  3. If you are the root user, expand Account identifiers and find Canonical User ID.

    You will see the AWS Account ID and the Canonical User ID values listed. You can use your canonical user ID to configure Amazon S3 access control lists (ACLs).

    If you're an IAM user, under Account details, find Account canonical user ID.

AWS CLI & SDKs
To find the canonical user ID using the AWS CLI

The same AWS CLI and API command works for the AWS account root user, IAM users, or IAM roles.

Use the list-buckets command as follows.

$ aws s3api list-buckets \
    --query Owner.ID \
    --output text
249fa2f1dc32c330EXAMPLE91b2778fcc65f980f9172f9cb9a5f50ccbEXAMPLE

Finding the canonical ID as a federated user with an IAM role

AWS Management Console
To find the canonical user ID for your account when signed in to the console as a federated user with an IAM role
Minimum permissions

  • You must have permission to list and view an Amazon S3 bucket.

  1. Sign in to the AWS Management Console as a federated user with an IAM role.

  2. In the Amazon S3 console, choose a bucket name to view details about a bucket.

  3. Choose Permissions, and then choose Access Control List.

    At the top of the page, under Access for bucket owner, the canonical user ID for the AWS account appears.

AWS CLI & SDKs
To find the canonical user ID using the AWS CLI

The same AWS CLI and API command works for the AWS account root user, IAM users, or IAM roles.

Use the list-buckets command as follows.

$ aws s3api list-buckets \
    --query Owner.ID \
    --output text
249fa2f1dc32c330EXAMPLE91b2778fcc65f980f9172f9cb9a5f50ccbEXAMPLE