aws-actions/configure-aws-credentials
Authenticate to AWS in a workflow, ideally by assuming a role with OIDC (no stored keys).
What it does
aws-actions/configure-aws-credentials exports AWS credentials into the environment so later steps (the AWS CLI, SDKs, ECR login) are authenticated.
The recommended mode assumes an IAM role via GitHub OIDC, so no long-lived access keys live in your secrets.
Usage
workflow (.yml)
permissions:
id-token: write # required for OIDC
contents: read
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/github-actions
aws-region: us-east-1Inputs
| Input | Description | Default | Required |
|---|---|---|---|
aws-region | AWS region to use. | - | Yes |
role-to-assume | ARN of the IAM role to assume (OIDC or key-based). | - | No |
role-session-name | Session name for the assumed role. | GitHubActions | No |
aws-access-key-id | Static access key (avoid; prefer OIDC). | - | No |
aws-secret-access-key | Static secret key (avoid; prefer OIDC). | - | No |
role-duration-seconds | How long the assumed session lasts. | 3600 | No |
Outputs
| Output | Description |
|---|---|
aws-account-id | The account ID of the resolved credentials. |
Notes
OIDC role assumption requires permissions: id-token: write on the job and a configured IAM OIDC identity provider trusting token.actions.githubusercontent.com.
Common errors
Credentials could not be loadedorRegion is missingmeansaws-regionwas not set. It is required.Not authorized to perform sts:AssumeRoleWithWebIdentitymeans the IAM role trust policy does not allow your repo, orid-token: writeis missing.
Security and pinning
- Prefer OIDC role assumption over static
aws-access-key-id/aws-secret-access-key. It removes standing secrets from CI. - Scope the assumed role to the minimum actions the workflow needs, and restrict its trust policy to specific repos/branches.
Alternatives and related
aws-actions/amazon-ecr-loginLog in to Amazon ECR so a workflow can pull and push container images.
hashicorp/setup-terraformInstall the Terraform CLI and (optionally) wrap it to expose plan output in later steps.
Frequently asked questions
How do I use AWS without storing access keys?
Configure an IAM OIDC provider for GitHub, create a role that trusts your repo, and pass
role-to-assume with permissions: id-token: write. No static keys needed.