Script Valley
CI/CD with GitHub Actions
Deployment WorkflowsLesson 4.4

How to deploy to AWS using OIDC instead of long-lived credentials

OIDC authentication, aws-actions/configure-aws-credentials, IAM role trust policy, id-token permission, short-lived credentials, no AWS secret key storage, role ARN

Why OIDC?

OIDC token exchange with AWS STS

Storing AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in GitHub Secrets is the old approach. If those keys leak, an attacker has permanent access. OIDC issues short-lived credentials valid only for the duration of a workflow run — no stored secret to leak.

Workflow

permissions:
  id-token: write
  contents: read

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789012:role/GitHubActionsDeployRole
          aws-region: us-east-1

      - run: aws s3 sync dist/ s3://my-bucket --delete

id-token: write is required to request the OIDC JWT from GitHub. AWS verifies the token against an IAM OIDC identity provider you configure in your AWS account. The IAM role's trust policy must specify your repository as the allowed subject. After authentication, standard AWS CLI commands work for the rest of the job.

Up next

How to implement rollback in a GitHub Actions deployment pipeline

Sign in to track progress