How to Authenticate GitHub Actions with AWS Using OIDC for Secure CI/CD

Modern DevOps workflows rely heavily on automation, but traditional authentication methods using static IAM credentials introduce significant security risks. When deploying from GitHub Actions to AWS, developers often rely on access keys stored as secrets, an approach that increases exposure and management overhead.

To achieve secure GitHub to AWS deployments, organizations can use GitHub OIDC with AWS IAM. This method leverages OpenID Connect (OIDC) for federated authentication, allowing GitHub Actions to assume IAM roles dynamically instead of using long-lived keys.

This guide outlines how to set up AWS GitHub Actions authentication using OIDC and implement a robust IAM role authentication strategy for CI/CD.

Why Use OIDC for GitHub Actions Authentication

Traditional AWS authentication for CI/CD pipelines depends on static IAM credentials, which must be stored in repositories or GitHub Secrets. These credentials can become security liabilities if accidentally exposed or leaked.

By integrating GitHub OIDC with AWS IAM, GitHub Actions workflows can request temporary credentials directly from AWS at runtime. This eliminates the need for permanent keys, minimizes human error, and improves compliance with cloud security standards.

Benefits include:

• No long-lived IAM credentials stored in GitHub
• Automatic credential expiration after each workflow
• Fine-grained access control via scoped IAM roles
• Simplified credential management and reduced operational risk

Set Up IAM Role Integration for GitHub Actions

To begin, create an IAM role in AWS that GitHub Actions can assume through OpenID Connect.

Steps:

1. In the AWS Management Console, navigate to IAM → Roles → Create Role.
2. Select Web Identity as the trusted entity type.
3. Choose GitHub as the OIDC provider (https://token.actions.githubusercontent.com).
4. Add a condition in the trust policy to restrict repository access.
5. Attach policies that define the specific AWS services the role can access.

Example trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "token.actions.githubusercontent.com:sub": "repo:org/repository:*"
        }
      }
    }
  ]
}

This configuration ensures that only authorized repositories can assume the role, aligning with the principle of least privilege.

Configure GitHub Actions Workflow

Once the IAM role is created, update your GitHub Actions workflow to use OIDC authentication instead of static secrets.

Example workflow:

name: Deploy to AWS

on:
  push:
    branches: [ "main" ]

permissions:
  id-token: write
  contents: read

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::<ACCOUNT_ID>:role/GitHubOIDCRole
          aws-region: us-east-1

      - name: Deploy application
        run: aws s3 sync ./build s3://example-bucket --delete


This configuration dynamically generates an access token via OIDC and assumes the specified IAM role.
 By using Setup GitHub Actions with AWS role access, credentials are short-lived, automatically managed, and never exposed.

Secure Jenkins and Other CI/CD Integrations

If your organization uses multiple CI/CD tools such as Jenkins in parallel with GitHub Actions, apply a similar IAM role integration approach. Use scripts or AWS SDKs to authenticate via temporary tokens instead of static access keys.

This maintains a consistent IAM role authentication strategy for CI/CD across tools, reducing the attack surface while maintaining operational flexibility.

Strengthen Security and Minimize IAM User Dependence

Adopting role-based authentication significantly reduces reliance on IAM Users and static keys. Instead, workflows use temporary role-based credentials that expire automatically.

This approach enhances AWS GitHub Actions authentication by:

• Limiting exposure to compromised secrets
• Ensuring access permissions are narrowly scoped
• Removing the need for manual key rotation or credential storage

The result is a more secure and automated deployment pipeline aligned with AWS best practices.

Key Benefits of OIDC-Based GitHub Authentication

• Enhanced Security: Eliminates static access keys and strengthens protection against unauthorized access.
• Reduced IAM Overhead: Minimizes administrative burden by replacing IAM Users with roles.
• Operational Efficiency: Automates access provisioning for GitHub Actions workflows.
• Cost Neutrality: No additional AWS infrastructure cost; only configuration changes are required.
• Zero Downtime: Seamless transition from static credentials to OIDC-based authentication.

These outcomes make how to authenticate GitHub Actions with AWS using OIDC an essential practice for modern DevOps security and automation.

About IAMOPS

IAMOPS is a DevOps Services Company that specializes in building secure, scalable, and automated CI/CD pipelines for cloud-native environments.

With expertise in IAM role integration for GitHub Actions, AWS OIDC authentication, and secure GitHub to AWS deployments, IAMOPS helps engineering teams adopt cloud-native security models that reduce risk and simplify operations.

Our capabilities include:

• Implementing GitHub OIDC with AWS IAM for temporary credential access.
• Designing IAM role authentication strategies for CI/CD.
• Automating secure deployments across cloud platforms.
• Ensuring compliance with AWS security best practices.

IAMOPS empowers startups and high growth companies to strengthen security posture, minimize manual credential management, and enable faster, safer software delivery through automation.

Summary

Integrating GitHub Actions with AWS through OIDC enables secure, scalable, and passwordless authentication for CI/CD workflows.

By replacing static IAM credentials with temporary, role-based access, teams can achieve stronger security, reduced operational overhead, and continuous compliance with minimal configuration effort.

Following the outlined setup for AWS GitHub Actions authentication ensures secure GitHub to AWS deployments while maintaining speed, flexibility, and reliability, a foundation for sustainable DevOps growth.