Skip to content
Latchkey

aws-actions/configure-aws-credentials

Authenticate to AWS in a workflow, ideally by assuming a role with OIDC (no stored keys).

Official actionCategory: Cloud Auth & DeployLatest v4View on GitHub

What it does

aws-actions/configure-aws-credentials exports AWS credentials into the environment so later steps (the AWS CLI, SDKs, ECR login) are authenticated.

The recommended mode assumes an IAM role via GitHub OIDC, so no long-lived access keys live in your secrets.

Usage

workflow (.yml)
permissions:
  id-token: write   # required for OIDC
  contents: read
steps:
  - uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: arn:aws:iam::123456789012:role/github-actions
      aws-region: us-east-1

Inputs

InputDescriptionDefaultRequired
aws-regionAWS region to use.-Yes
role-to-assumeARN of the IAM role to assume (OIDC or key-based).-No
role-session-nameSession name for the assumed role.GitHubActionsNo
aws-access-key-idStatic access key (avoid; prefer OIDC).-No
aws-secret-access-keyStatic secret key (avoid; prefer OIDC).-No
role-duration-secondsHow long the assumed session lasts.3600No

Outputs

OutputDescription
aws-account-idThe account ID of the resolved credentials.

Notes

OIDC role assumption requires permissions: id-token: write on the job and a configured IAM OIDC identity provider trusting token.actions.githubusercontent.com.

Common errors

  • Credentials could not be loaded or Region is missing means aws-region was not set. It is required.
  • Not authorized to perform sts:AssumeRoleWithWebIdentity means the IAM role trust policy does not allow your repo, or id-token: write is missing.

Security and pinning

  • Prefer OIDC role assumption over static aws-access-key-id/aws-secret-access-key. It removes standing secrets from CI.
  • Scope the assumed role to the minimum actions the workflow needs, and restrict its trust policy to specific repos/branches.

Alternatives and related

Frequently asked questions

How do I use AWS without storing access keys?
Configure an IAM OIDC provider for GitHub, create a role that trusts your repo, and pass role-to-assume with permissions: id-token: write. No static keys needed.
Running aws-actions/configure-aws-credentials? Run it on Latchkey managed runners - self-healing and caching included. Start free → 30-day trial · No credit card