In the Amazon Key Management Service there is away to list grants on a Customer Master Key. This returns a list of GrantListEntry objects. Each one has a getGranteePrincipal() method which returns a string simmilar to AIDAJBVZPN4EIJ44R7AZM. This is supposed to map to the user/role for which this grant is relevant however, I cannot figure out how to map this string to a user. It is not their IAM key or ARN. Is there any way to correlate this string to the original user?
You are most likely looking at the Unique ID:
When IAM creates a user, group, role, policy, instance profile, or server certificate, it assigns to each entity a unique ID that looks like the following example:
AIDAJQABLZS4A3QDU576QFor the most part, you use friendly names and ARNs when you work with IAM entities, so you don't need to know the unique ID for a specific entity. However, the unique ID can sometimes be useful when it isn't practical to use friendly names.
As mentioned in the last paragraph (and further outlined in the referenced documentation), the unique ID is usually hidden away in favor of friendly names, but required to guarantee uniqueness when users leave the organization and another one with the same friendly name might join for example.
The other provided example seems to explain the scenario at hand (and also applies to your own use case apparently):
Another example where user IDs can be useful is if you maintain your own database (or other store) of IAM user information. The unique ID can provide a unique identifier for each IAM user you create, even if over time you have IAM users that reuse a name, as in the previous example.
As outlined in the resp. section, the unique ID for an IAM entity is not available in the IAM console. However, you can get it using AWS CLI commands or IAM API calls, e.g. for a user:
Unfortunately it doesn't seem to be possible to search for it directly though, so you would need to iterate over all users and retrieve it individually in order to generate the desired mapping.