AWS GitHub Actions OIDC Setup¶
Configure GitHub Actions to deploy to AWS without long-lived credentials using OpenID Connect (OIDC).
Overview¶
GitHub Actions authenticates to AWS by assuming an IAM role via OIDC federation. No access keys are stored as GitHub secrets.
Setup Steps¶
1. Create OIDC Identity Provider in AWS¶
In IAM > Identity Providers > Add Provider:
- Provider type: OpenID Connect
- Provider URL: https://token.actions.githubusercontent.com
- Audience: sts.amazonaws.com
2. Create IAM Role¶
Create an IAM role with a trust policy that allows GitHub Actions from your repo:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:<OWNER>/<REPO>:*"
}
}
}
]
}
Attach the necessary permissions policies (SST requires broad access for CloudFormation, S3, Lambda, ECS, RDS, etc.).
3. Configure GitHub Repository¶
In the GitHub repo, set the environment variable per deployment environment (staging, production):
- Variable name: AWS_DEPLOY_ROLE_ARN
- Value: arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>
4. Workflow Usage¶
The sst-deploy.yml workflow uses OIDC automatically:
- name: Configure AWS credentials (OIDC)
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ vars.AWS_DEPLOY_ROLE_ARN }}
role-session-name: sst-deploy
aws-region: eu-west-2
Troubleshooting¶
| Issue | Fix |
|---|---|
| "Not authorized to perform sts:AssumeRoleWithWebIdentity" | Check trust policy sub condition matches your repo |
| "No OpenIDConnect provider found" | Create the OIDC provider in IAM first |
| Role ARN not found | Set AWS_DEPLOY_ROLE_ARN as an environment variable (not a secret) in GitHub |