Skip to content
Latchkey

How to Authenticate to Amazon EKS via OIDC in GitHub Actions

GitHub OIDC lets a workflow assume an IAM role with no stored AWS keys, after which aws eks update-kubeconfig writes cluster credentials.

Grant the job id-token: write, assume your IAM role with aws-actions/configure-aws-credentials, then run aws eks update-kubeconfig to wire kubectl to the cluster.

Steps

  • Create an IAM OIDC provider for token.actions.githubusercontent.com and a role trusting your repo.
  • Add permissions: id-token: write to the job.
  • Assume the role with configure-aws-credentials and role-to-assume.
  • Run aws eks update-kubeconfig --name <cluster> --region <region>.

Workflow

.github/workflows/deploy.yml
permissions:
  id-token: write
  contents: read
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::111122223333:role/gha-eks-deploy
          aws-region: us-east-1
      - run: aws eks update-kubeconfig --name prod --region us-east-1
      - run: kubectl get nodes
      - run: kubectl apply -f k8s/

Gotchas

  • The IAM principal must also map to a Kubernetes group via an access entry or the aws-auth ConfigMap.
  • Scope the trust policy to repo:org/name:ref:refs/heads/main so only main can assume the role.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →