How to Use OIDC to Authenticate GitHub Actions to AWS
Stop storing AWS keys in secrets. OIDC lets GitHub Actions assume an IAM role with short-lived credentials.
OpenID Connect lets a workflow exchange its identity token for temporary AWS credentials, so you never store static keys. Set up the IAM trust once.
Steps
- Add the GitHub OIDC provider to AWS IAM (token.actions.githubusercontent.com).
- Create an IAM role with a trust policy scoped to your repo/branch (
subcondition). - Grant the role only the permissions the workflow needs.
- Add
permissions: id-token: writeto the job. - Use
aws-actions/configure-aws-credentialswithrole-to-assume.
Workflow snippet
.github/workflows/deploy.yml
permissions:
id-token: write
contents: read
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::1234567890:role/gha-deploy
aws-region: us-east-1Common pitfalls
- Forgetting
id-token: write→ "Unable to get OIDC token". - Trust policy
subtoo broad or mismatched → AssumeRole denied. - Wrong audience (
aud) value.
Related guides
GitHub Actions OIDC "Failed to get ID token"Fix GitHub Actions OIDC "Failed to get ID token" - a missing id-token permission, an unset request URL, or a…
How to Cache Dependencies in GitHub Actions (Every Ecosystem)Cache dependencies in GitHub Actions with actions/cache - correct keys and paths for npm, yarn, pnpm, pip, Ma…
GitHub Actions Workflow Template for Deploy to AWS (OIDC)A ready-to-use GitHub Actions workflow for Deploy to AWS (OIDC) with caching and best practices - copy, commi…