How to Assume an AWS Role With OIDC Instead of Static Keys in GitHub Actions
OIDC lets the runner exchange a signed GitHub token for temporary AWS credentials, so no static access keys live in the repo.
Grant id-token: write, then use aws-actions/configure-aws-credentials with role-to-assume. The action calls AssumeRoleWithWebIdentity and exports temporary credentials.
Steps
- Create an IAM OIDC provider for
token.actions.githubusercontent.com. - Create a role whose trust policy restricts
subto your repo and branch. - Add
permissions: id-token: writeto the job. - Use
configure-aws-credentialswithrole-to-assumeandaws-region(no keys).
Workflow
.github/workflows/ci.yml
permissions:
id-token: write
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::111122223333:role/gha-deploy
role-session-name: gha-${{ github.run_id }}
aws-region: us-east-1
- run: aws sts get-caller-identityGotchas
- The trust policy must set the audience condition
sts.amazonaws.comand asublikerepo:org/name:ref:refs/heads/main. - Without
id-token: writethe action fails with a missing OIDC token URL error.
Related guides
How to Authenticate to Google Cloud via Workload Identity Federation in GitHub ActionsUse keyless OIDC to authenticate GitHub Actions to Google Cloud with Workload Identity Federation and google-…
How to Authenticate to Azure via Federated OIDC Credentials in GitHub ActionsLog in to Azure from GitHub Actions with passwordless OIDC by registering a federated credential on an app re…