aws-actions/configure-aws-credentials: Auth to AWS in CI
configure-aws-credentials authenticates your workflow to AWS, ideally via OIDC with no static keys.
The recommended pattern is OIDC: the workflow exchanges its identity token for short-lived AWS credentials by assuming an IAM role. No long-lived secrets to rotate.
Key inputs (with:)
- role-to-assume: IAM role ARN to assume via OIDC.
- aws-region: target region (required).
- role-session-name: name for the assumed session.
- aws-access-key-id / aws-secret-access-key: static-key fallback.
- role-duration-seconds: session length.
Example workflow (OIDC)
.github/workflows/ci.yml
jobs:
deploy:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/ci-deploy
aws-region: us-east-1
- run: aws s3 sync ./dist s3://my-bucketOn any runner
This action runs on any runner. Latchkey managed runners run it unchanged.
Key takeaways
- Prefer OIDC role-to-assume over static access keys.
- OIDC needs permissions: id-token: write on the job.
- Credentials are exported as env vars for later steps.
Related guides
google-github-actions/auth: Authenticate to Google CloudReference for google-github-actions/auth: authenticate to Google Cloud via Workload Identity Federation (keyl…
azure/login: Authenticate to Azure in CIReference for azure/login: sign in to Azure via OIDC federated credentials or a service principal so later st…
hashicorp/setup-terraform: Install Terraform in CIReference for hashicorp/setup-terraform: install a pinned Terraform version and optionally wrap commands to e…