GitHub Actions OIDC with AWS: complete zero-credential setup

GitHub Actions OIDC with AWS: complete zero-credential setup Stop storing AWS access keys as GitHub secrets. Here's the full setup. Why OIDC wins Old: AWS_ACCESS_KEY_ID stored forever, rotated manually (or never) Risk: leaked key = full account access until manually revoked OIDC: No stored credentials. Token per-job, expires when job ends. Risk: compromised token expires in minutes Audit: exact repo, branch, job logged in CloudTrail Step 1: OIDC provider (Terraform) resource "aws_iam_openid_connect_provider" "github" { url = "https://token.actions.githubusercontent.com" client_id_list = [ "sts.amazonaws.com" ] thumbprint_list = [ "6938fd4d98bab03faadb97b34396831e3780aea1" ] } Step 2: IAM role with trust policy resource "aws_iam_role" "github_actions" { name = "github-actions-deploy" assume_role_policy = jsonencode ({ Version = "2012-10-17" Statement = [{ Effect = "Allow" Principal = { Federated = aws_iam_openid_connect_provider . github . arn } Action = "sts:AssumeRoleWithWebIdentity"

GitHub Actions OIDC with AWS: complete zero-credential setup

Related Articles

The Art of Motivation and Inspiration ✨

When Understanding Comes Later

Top 10 Skills Every Developer Must Learn in 2026

If you are using context.Context Like this, You-re doing it wrong

How to Simulate Billiards and Similar Systems

Related Articles

How-To
The Art of Motivation and Inspiration ✨
Medium Programming • 1w ago

How-To
When Understanding Comes Later
Medium Programming • 1w ago

How-To
Top 10 Skills Every Developer Must Learn in 2026
Medium Programming • 1w ago

How-To
If you are using context.Context Like this, You-re doing it wrong
Medium Programming • 1w ago

How-To
How to Simulate Billiards and Similar Systems
Dev.to • 1w ago