To map a user ID Finding your Identity Store ID Verifying the user mapping Additional resources

Retrieving user metadata and attributes using userID in an identity store

Note

This procedure also applies to the createdBy field returned by the SearchJobs API, which uses the same user ID format.

The userId field in session statistics contains one of the following values:

An AWS Identity and Access Management (IAM) role ARN, for example: arn:aws:sts::123456789012:assumed-role/Admin/user-Isengard.
An IAM Identity Center user ID (UUID), for example: f9c1f3f0-1031-70dc-4d25-30d7225b04a0.

For IAM role ARNs, the username is visible in the ARN itself. For IAM Identity Center user IDs, you can look up the username using the IAM Identity Center Identity Store API.

To identify the username associated with an IAM Identity Center user ID, use the following procedure. Before you begin, get the Identity Store ID from your IAM Identity Center settings. For more information, see Finding your Identity Store ID.

To map a user ID

Run the following command, replacing IdentityStoreId with your Identity Store ID and userUUID with the userId from the session statistics response:
```
aws identitystore describe-user \
    --identity-store-id IdentityStoreId \
    --user-id userUUID
```

Review the response, which includes the username:


{
    "UserName": "jdoe",
    "UserId": "f9c1f3f0-1031-70dc-4d25-30d7225b04a0",
    "Name": {
        "FamilyName": "Doe",
        "GivenName": "Jane"
    },
    "DisplayName": "Jane Doe",
    "Emails": [{
        "Value": "jdoe@example.com",
        "Type": "work",
        "Primary": true
    }],
    "IdentityStoreId": "d-xxxxxxxxxx"
}

Finding your Identity Store ID

To map user IDs to usernames, you need the Identity Store ID. You can find the Identity Store ID using the IAM Identity Center console or the AWS CLI.

Console

To find your Identity Store ID using the console, use the following procedure.

Sign in to the AWS Management Console and open the IAM Identity Center console.
In the navigation pane, choose Settings.
Copy the IAM Identity Center Identity Store ID value. The format is d-xxxxxxxxxx.

AWS CLI

Run the following command, replacing region-name with the Region where your IAM Identity Center instance is configured:


aws sso-admin list-instances --region region-name

The response includes the IdentityStoreId:


{
    "Instances": [
        {
            "CreatedDate": "2025-11-19T15:45:55.160000-08:00",
            "IdentityStoreId": "d-xxxxxxxxxx",
            "InstanceArn": "arn:aws:sso:::instance/ssoins-xxxxxxxxxxxxxxxx",
            "OwnerAccountId": "123456789012",
            "Status": "ACTIVE"
        }
    ]
}

Verifying the user mapping

After you map a user ID to a username, you can verify in the IAM Identity Center console that the user ID matches the expected user. To verify the user mapping, use the following procedure.

Sign in to the AWS Management Console and open the IAM Identity Center console.
In the navigation pane, choose Users.
Choose the username from the AWS CLI response.
In the General information section, verify that the User ID matches the userId from your session statistics.

Additional resources

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Querying session statistics aggregated data

Security