Use OIDC instead of long-lived cloud keys

yaml

permissions:
  id-token: write
  contents: read

steps:
  - uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: arn:aws:iam::123456789012:role/github-actions-deploy
      aws-region: us-east-1

Explanation

OIDC reduces secret sprawl by replacing stored cloud keys with short-lived federated credentials.

View in sheet →

Learn the surrounding workflow

Compare similar commands or jump into common fixes when this command is part of a bigger troubleshooting path.

Compare commands View fixes

Related commands

Same sheet · prioritizing Harden pipeline credentials and permissions

Use least-privilege permissions in GitHub Actions

Explicitly scope the token for each workflow or job.

Open In sheetyamlsame section

Protect production variables in GitLab

Restrict sensitive variables to protected branches or tags.

Open In sheetyamlsame section

Be careful with untrusted pull requests

Avoid exposing secrets to code from forks.

Open In sheetyaml1 tag match

Require approval for production release

Add environment rules or manual gates before prod deploys.

Open In sheettext1 tag match

Pin actions to a version or commit

Avoid floating references for critical workflow dependencies.

Open In sheetyaml