Authenticate to AWS in GitHub Actions (and others)! Works especially well with AWS Secrets Manager.
GitHub OIDC Trust Policy
json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
"token.actions.githubusercontent.com:sub": "repo:<GITHUB_ORG>/<GITHUB_REPOSITORY>:ref:refs/heads/<GITHUB_BRANCH>"
}
}
}
]
}
Note: if you are running in a GitHub environment based workflow, the value
for the Sub claim will be different, in the form of
repo:<GITHUB_ORG>/<GITHUB_REPOSITORY>:environment:<ENVIRONMENT_NAME>.
Adjust the trust policy accordingly if you are using environment-based
workflows.
Example Workflow
yaml
# Need ID token write permission to use OIDC
permissions:
id-token: write
jobs:
run_job_with_aws:
runs-on: ubuntu-latest
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v6.1.0
with:
role-to-assume: <Role ARN you created in step 2>
aws-region: <AWS Region you want to use>
- name: Additional steps
run: |
# Your commands that require AWS credentials
aws sts get-caller-identity
That's it! Your GitHub Actions workflow can now access AWS resources using the IAM Role you created. Other authentication scenarios are also supported (see below).
pull_request_target
events.This action supports five different authentication methods that are configured by specifying different inputs.
core.getIDToken() call to authenticate via OIDC.Because we use the AWS JavaScript SDK, we always will use the credential resolution flow for Node.js.
Depending on your inputs, the action might override parts of this flow.
Inputs and their effects on the credential resolution flow
| Identity Used | aws-access-key-id |
role-to-assume |
web-identity-token-file |
role-chaining |
|---|---|---|---|---|
| [✅ Recommended] GitHub OIDC | ✔ | |||
| IAM User (no AssumeRole) | ✔ | |||
| AssumeRole using static IAM credentials | ✔ | ✔ | ||
| AssumeWithWebIdentity use a token file | ✔ | ✔ | ||
| AssumeRole using existing credentials | ✔ | ✔ |
Note: role-chaining is not always necessary to use existing credentials. If
you're getting a "Credentials loaded by the SDK do not match" error, try
enabling this option.
Additionally, aws-region is always required.
Note: If you use GitHub Enterprise Server, you may need to adjust examples here to match your environment.
The options list can be expanded below. See action.yml for more detail.
Options list and descriptions
| Option | Description | Required |
|---|---|---|
| aws-region | Which AWS region to use | Yes |
| aws-profile | Name of the AWS profile to configure. When provided, credentials are written to ~/.aws/credentials and ~/.aws/config files. This enables configuring multiple profiles in a single workflow. Name cannot contain whitespace, square brackets, or slashes. When set, credentials will not be exported as environment variables unless output-env-credentials is manually set to true. |
No |
| overwrite-aws-profile | Overwrite the given AWS profile if it already exists. When set to false or not set, an error will be thrown if the profile already exists. | No |
| role-to-assume | Role for which to fetch credentials. Only required for some authentication types. | No |
| aws-access-key-id | AWS access key to use. Only required for some authentication types. | No |
| aws-secret-access-key | AWS secret key to use. Only required for some authentication types. | No |
| aws-session-token | AWS session token to use. Used in uncommon authentication scenarios. | No |
| role-chaining | Use existing credentials from the environment to assume a new role. | No |
| audience | The JWT audience when using OIDC. Used in non-default AWS partitions, like China regions. | No |
| http-proxy | An HTTP proxy to use for API calls. | No |
| mask-aws-account-id | AWS account IDs are not considered secret. Setting this will hide account IDs from output anyway. | No |
| role-duration-seconds | The assumed role duration in seconds, if assuming a role. Defaults to 1 hour (3600 seconds). Acceptable values range from 15 minutes (900 seconds) to 12 hours (43200 seconds). | No |
| role-external-id | The external ID of the role to assume. Only needed if your role requires it. | No |
| role-session-name | Defaults to "GitHubActions", but may be changed if required. | No |
| role-skip-session-tagging | Skips session tagging if set. |
$ claude mcp add configure-aws-credentials \
-- python -m otcore.mcp_server <graph>