GetCallerIdentity throws StsException if sts:GetCallerIdentity is not added to the policy

[sampathpremarathna]

In the documentation it states that no permissions are required and we can still call GetCallerIdentity on sts. Yes we could do that with SDK 1 but after migrating to SDK 2, it throws below error.
software.amazon.awssdk.services.sts.model.StsException: User: arn:aws:sts::ACCOUNT:assumed-role/ROLE/12130372ba9a4084a38177acldsj38udfa is not authorized to perform: sts:GetCallerIdentity on resource: Resource because no identity-based policy allows the sts:GetCallerIdentity action.
But once below policy added it started to work

{
        "Effect": "Allow",
        "Action": "sts:GetCallerIdentity",
        "Resource": "*"
}

This is how I get account ID with SDK 2:

  try(StsClient cl = StsClient.create()){
           GetCallerIdentityResponse response = cl.getCallerIdentity(GetCallerIdentityRequest.builder().build());
           return response.account();
       } 

And this is how it was with SDK 1:

 AWSSecurityTokenServiceClientBuilder.defaultClient().getCallerIdentity(new GetCallerIdentityRequest()).getAccount();   
      // this worked without explicit permission declared in the policy

STS:2.25.70 is being used

Could you please explain this ?