GitHub Actions OIDC for keyless AWS authentication

<p>I need my GitHub Actions workflows to access AWS services (S3, ECR, ECS) without storing long-lived AWS credentials as GitHub secrets. I want keyless authentication using OIDC.</p>

<p>GitHub Actions OIDC with AWS IAM:</p> <div class="highlight"><pre><span></span><code><span class="c1"># .github/workflows/deploy.yml</span> <span class="nt">jobs</span><span class="p">:</span> <span class="w"> </span><span class="nt">deploy</span><span class="p">:</span> <span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ubuntu-latest</span> <span class="w"> </span><span class="nt">permissions</span><span class="p">:</span> <span class="w"> </span><span class="nt">id-token</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">write</span><span class="w"> </span><span class="c1"># Required for OIDC</span> <span class="w"> </span><span class="nt">contents</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">read</span> <span class="w"> </span><span class="nt">steps</span><span class="p">:</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">actions/checkout@v4</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Configure AWS credentials via OIDC</span> <span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aws-actions/configure-aws-credentials@v4</span> <span class="w"> </span><span class="nt">with</span><span class="p">:</span> <span class="w"> </span><span class="nt">role-to-assume</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">arn:aws:iam::123456789:role/GitHubActionsRole</span> <span class="w"> </span><span class="nt">aws-region</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">us-east-1</span> <span class="w"> </span><span class="c1"># No access key/secret needed!</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Login to ECR</span> <span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aws-actions/amazon-ecr-login@v2</span> <span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Deploy to ECS</span> <span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|</span> <span class="w"> </span><span class="no">aws ecs update-service --cluster prod --service api --force-new-deployment</span> </code></pre></div> <p>AWS IAM Role trust policy (one-time setup):</p> <div class="highlight"><pre><span></span><code><span class="p">{</span> <span class="w"> </span><span class="nt">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span> <span class="w"> </span><span class="nt">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span> <span class="w"> </span><span class="nt">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span> <span class="w"> </span><span class="nt">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nt">"Federated"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::123456789:oidc-provider/token.actions.githubusercontent.com"</span><span class="w"> </span><span class="p">},</span> <span class="w"> </span><span class="nt">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts:AssumeRoleWithWebIdentity"</span><span class="p">,</span> <span class="w"> </span><span class="nt">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="nt">"StringLike"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="nt">"token.actions.githubusercontent.com:sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"repo:myorg/myrepo:ref:refs/heads/main"</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="p">}</span> <span class="w"> </span><span class="p">}]</span> <span class="p">}</span> </code></pre></div> <p>Key points: - OIDC tokens are short-lived (15 min) -- no long-lived secrets to rotate - id-token: write permission required to request OIDC token - IAM trust policy scopes by repo AND branch for security - Works for AWS, GCP, Azure -- each has their own action - No secrets stored in GitHub -- audit trail in CloudTrail instead</p>