Skip to content
Latchkey

How to Use OIDC per Environment With Different Roles in GitHub Actions

Store each environment role ARN as an environment variable so the OIDC login assumes the right role per target.

Grant id-token: write, set an environment variable (e.g. AWS_ROLE_ARN) per environment, then pass vars.AWS_ROLE_ARN to the OIDC login action. Each environment assumes its own least-privilege role.

Steps

  • Add permissions: id-token: write to the job.
  • Set AWS_ROLE_ARN as a variable on each environment.
  • Pass role-to-assume: ${{ vars.AWS_ROLE_ARN }} to the OIDC login.

Workflow

.github/workflows/ci.yml
permissions:
  id-token: write
  contents: read
jobs:
  deploy:
    runs-on: ubuntu-latest
    environment: production
    steps:
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ vars.AWS_ROLE_ARN }}
          aws-region: us-east-1
      - run: aws sts get-caller-identity

Gotchas

  • Scope each cloud role trust policy to the matching environment in its subject claim.
  • Without id-token: write, the runner cannot mint the OIDC token.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →