Secure AWS Deployments with GitHub Actions OIDC — No Long-Lived Keys

The Problem with Long-Lived AWS Keys

Storing AWS access keys in GitHub Secrets is a security risk. Keys can be leaked through logs, rotated incorrectly, or granted too many permissions. OIDC eliminates this problem entirely.

How OIDC Works

GitHub acts as an identity provider. When your workflow runs, GitHub issues a short-lived OIDC token. AWS trusts this token and exchanges it for temporary credentials that expire after the job finishes. No static keys ever stored anywhere.

Step 1: Create the IAM OIDC Provider

In the AWS console go to IAM then Identity Providers then Add Provider. Select OpenID Connect and use https://token.actions.githubusercontent.com as the URL. For the audience use sts.amazonaws.com.

Step 2: Create the IAM Role

Create a role with a trust policy that allows the GitHub OIDC provider to assume it. Add a condition on the subject claim scoped to your specific repository to prevent other repos from assuming the role.

Step 3: Update Your Workflow

Add id-token write permission to your workflow permissions block. Then use aws-actions/configure-aws-credentials with role-to-assume pointing to your role ARN and your target AWS region.

Step 4: Verify It Works

Run your workflow and check the AWS CloudTrail logs. You will see AssumeRoleWithWebIdentity events instead of long-lived key usage. The credentials automatically expire when the job ends.

Result

No long-lived credentials. Temporary tokens that expire automatically. Scoped to exactly the repo and branch you specify. This is the security standard every production pipeline should follow.

Want this set up for your project? Schedule a meeting.