Decodes the AWS account ID given an AWS access key ID (with a four-letter resource identifier beginning with "A"; this does not work for older key IDs beginning with "I" or "J").
This is a small, single-file library with no dependencies outside std. Only two functions are exported / public
(there is an example of each below).
This can be installed as a crate via cargo.
cargo add aws_account_id_from_key_id
Once added as a dependency to a project, you can use it like so:
use aws_account_id_from_key_id::*;
fn main() {
let access_key_id = "AKIASP2TPHJSQH3FJXYZ";
// Decode AWS account ID given AWS access key ID
assert_eq!(get_aws_account_id(&access_key_id).unwrap(), "171436882533");
// Get associated AWS resource type given AWS access key ID
assert_eq!(get_associated_resource_type(&access_key_id).unwrap(), "Access key");
}Yes, use the AWS Security Token Service (STS) API call GetAccessKeyInfo. Example:
aws sts get-access-key-info --access-key-id=<key-id-goes-here>
I mainly wrote this as a Rust programming language learning exercise. I'm open to feedback both to learn more about Rust and better ways to implement this as well as to fix any bugs / logic errors in the code.
This is primarily based on the research and Python PoC code by Tal Be'ery.
- A short note on AWS KEY ID
- AWS Access Key ID formats
- AWS security credential formats
- Get Account ID from AWS Access Keys
- Research Uncovers AWS Account Numbers Hidden in Access Keys
- TruffleHog AWS Detector Code
- Understanding unique ID prefixes
This project is released open source under the MIT License.