Skip to content
Latchkey

aws-actions/configure-aws-credentials: Auth to AWS in CI

configure-aws-credentials authenticates your workflow to AWS, ideally via OIDC with no static keys.

The recommended pattern is OIDC: the workflow exchanges its identity token for short-lived AWS credentials by assuming an IAM role. No long-lived secrets to rotate.

Key inputs (with:)

  • role-to-assume: IAM role ARN to assume via OIDC.
  • aws-region: target region (required).
  • role-session-name: name for the assumed session.
  • aws-access-key-id / aws-secret-access-key: static-key fallback.
  • role-duration-seconds: session length.

Example workflow (OIDC)

.github/workflows/ci.yml
jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789012:role/ci-deploy
          aws-region: us-east-1
      - run: aws s3 sync ./dist s3://my-bucket

On any runner

This action runs on any runner. Latchkey managed runners run it unchanged.

Key takeaways

  • Prefer OIDC role-to-assume over static access keys.
  • OIDC needs permissions: id-token: write on the job.
  • Credentials are exported as env vars for later steps.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →