How to Use OIDC per Environment With Different Roles in GitHub Actions
Store each environment role ARN as an environment variable so the OIDC login assumes the right role per target.
Grant id-token: write, set an environment variable (e.g. AWS_ROLE_ARN) per environment, then pass vars.AWS_ROLE_ARN to the OIDC login action. Each environment assumes its own least-privilege role.
Steps
- Add
permissions: id-token: writeto the job. - Set
AWS_ROLE_ARNas a variable on each environment. - Pass
role-to-assume: ${{ vars.AWS_ROLE_ARN }}to the OIDC login.
Workflow
.github/workflows/ci.yml
permissions:
id-token: write
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
environment: production
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ vars.AWS_ROLE_ARN }}
aws-region: us-east-1
- run: aws sts get-caller-identityGotchas
- Scope each cloud role trust policy to the matching environment in its subject claim.
- Without
id-token: write, the runner cannot mint the OIDC token.
Related guides
How to Authenticate to AWS With OIDC in GitHub ActionsGet short-lived AWS credentials in GitHub Actions via OIDC and aws-actions/configure-aws-credentials, removin…
How to Use Environment-Scoped Variables in GitHub ActionsDefine non-secret configuration per environment in GitHub Actions with environment variables read through the…