Cloud Technologist | Architecting Innovative Solutions for Digital Transformation | AWS, Azure, GCP Expert | Passionate about Emerging Technologies
Introduction
GitHub Actions can access AWS resources via OIDC (OpenID Connect), eliminating the need for long-term IAM credentials. This provides a more secure and scalable approach to integrating GitHub workflows with AWS services.
Why Use OIDC for AWS Authentication?
Traditionally, GitHub Actions required storing AWS access keys in secrets, which posed security risks. With OIDC:
✔ No static credentials – GitHub requests temporary credentials when needed.
✔ Least privilege access – IAM roles can be scoped to specific repositories.
✔ Automatic credential rotation – No need for manual key management.
Setting Up GitHub Actions with AWS OIDC
Step 1: Create an IAM OIDC Identity Provider in AWS
Run the following AWS CLI command to establish GitHub as an OIDC identity provider:
aws iam create-open-id-connect-provider \
--url https://token.actions.githubusercontent.com \
--thumbprint-list <THUMBPRINT> \
--client-id-list sts.amazonaws.comTo retrieve the required thumbprint, run:
openssl s_client -servername token.actions.githubusercontent.com -showcerts -connect token.actions.githubusercontent.com:443 2>/dev/null | openssl x509 -fingerprint -noout -textStep 2: Create an IAM Role for GitHub Actions
- Go to AWS IAM → Roles → Create Role.
- Select: Web identity provider.
- Provider: token.actions.githubusercontent.com.
- Audience: sts.amazonaws.com.
- Attach the necessary policies (e.g., AdministratorAccess or scoped policies like AmazonS3FullAccess).
- Modify the trust policy to restrict access to your GitHub repository:
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::AWS_ACCOUNT_ID:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:OWNER/REPO:*"
}
}
}
- Replace AWS_ACCOUNT_ID with your AWS account ID.
- Replace OWNER/REPO with your GitHub repository.
Step 3: Update GitHub Actions Workflow
Modify your GitHub Actions workflow (.github/workflows/aws-actions.yml):
jobs:
deploy:
runs-on: ubuntu-latest
permissions:
id-token: write # Required for OIDC authentication
contents: read
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::AWS_ACCOUNT_ID:role/YOUR_ROLE_NAME
aws-region: us-east-1
- name: Verify Identity
run: aws sts get-caller-identityConclusion
Using OIDC with GitHub Actions provides a seamless, secure, and automated way to manage AWS credentials. It eliminates the risks associated with static IAM credentials while enabling fine-grained access control.
By implementing OIDC authentication, teams can enhance security, improve automation, and simplify credential management in their CI/CD workflows.
Try it out today and secure your AWS integrations with GitHub Actions!