MCPcopy
hub / github.com/aws-actions/configure-aws-credentials

github.com/aws-actions/configure-aws-credentials @v6.2.1 sqlite

repository ↗ · DeepWiki ↗ · release v6.2.1 ↗
59 symbols 172 edges 15 files 0 documented · 0%
README

Configure AWS Credentials

Authenticate to AWS in GitHub Actions (and others)! Works especially well with AWS Secrets Manager.

Quick Start (OIDC, recommended)

  1. Create an IAM Identity Provider in your AWS account for GitHub OIDC. (See OIDC configuration below for details.)
  2. Create an IAM Role in your AWS account with a trust policy that allows GitHub Actions to assume it. (Expand the sections below)

GitHub OIDC Trust Policy

json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com", "token.actions.githubusercontent.com:sub": "repo:<GITHUB_ORG>/<GITHUB_REPOSITORY>:ref:refs/heads/<GITHUB_BRANCH>" } } } ] }

Note: if you are running in a GitHub environment based workflow, the value for the Sub claim will be different, in the form of repo:<GITHUB_ORG>/<GITHUB_REPOSITORY>:environment:<ENVIRONMENT_NAME>. Adjust the trust policy accordingly if you are using environment-based workflows.

  1. Attach permissions to the IAM Role that allow it to access the AWS resources you need.
  2. Add the following to your GitHub Actions workflow:

Example Workflow

yaml # Need ID token write permission to use OIDC permissions: id-token: write jobs: run_job_with_aws: runs-on: ubuntu-latest steps: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v6.1.0 with: role-to-assume: <Role ARN you created in step 2> aws-region: <AWS Region you want to use> - name: Additional steps run: | # Your commands that require AWS credentials aws sts get-caller-identity

That's it! Your GitHub Actions workflow can now access AWS resources using the IAM Role you created. Other authentication scenarios are also supported (see below).

Security Recommendations

  • Use temporary credentials when possible. OIDC is recommended because it provides temporary credentials and it's easy to set up.
  • Do not store credentials in your repository's code. Consider using git-secrets to prevent committing secrets to your repository.
  • Grant least privilege to your workflows. Grant only those permissions that are necessary for the workflow to run.
  • Monitor the activity of the credentials used in workflows.
  • Periodically rotate any long-lived credentials that you use.
  • Store sensitive information in a secure way, such as using AWS Secrets Manager or GitHub Secrets.
  • Be especially careful about running Actions in non-ephemeral environments, or triggering workflows on pull_request_target events.

Non-OIDC Authentication Options

This action supports five different authentication methods that are configured by specifying different inputs.

  1. Use a core.getIDToken() call to authenticate via OIDC.
  2. Re-export existing long-lived IAM credentials (access key ID and secret access key) as environment variables.
  3. Use static credentials stored in GitHub Secrets to fetch temporary credentials via STS AssumeRole.
  4. Use a Web Identity Token to fetch temporary credentials via STS AssumeRoleWithWebIdentity.
  5. Use credentials stored in the Action environment to fetch temporary credentials via STS AssumeRole.

Because we use the AWS JavaScript SDK, we always will use the credential resolution flow for Node.js.

Depending on your inputs, the action might override parts of this flow.

Inputs and their effects on the credential resolution flow

Identity Used aws-access-key-id role-to-assume web-identity-token-file role-chaining
[✅ Recommended] GitHub OIDC
IAM User (no AssumeRole)
AssumeRole using static IAM credentials
AssumeWithWebIdentity use a token file
AssumeRole using existing credentials

Note: role-chaining is not always necessary to use existing credentials. If you're getting a "Credentials loaded by the SDK do not match" error, try enabling this option.

Additionally, aws-region is always required.

Note: If you use GitHub Enterprise Server, you may need to adjust examples here to match your environment.

Additional Options

Options

The options list can be expanded below. See action.yml for more detail.

Options list and descriptions

Option Description Required
aws-region Which AWS region to use Yes
aws-profile Name of the AWS profile to configure. When provided, credentials are written to ~/.aws/credentials and ~/.aws/config files. This enables configuring multiple profiles in a single workflow. Name cannot contain whitespace, square brackets, or slashes. When set, credentials will not be exported as environment variables unless output-env-credentials is manually set to true. No
overwrite-aws-profile Overwrite the given AWS profile if it already exists. When set to false or not set, an error will be thrown if the profile already exists. No
role-to-assume Role for which to fetch credentials. Only required for some authentication types. No
aws-access-key-id AWS access key to use. Only required for some authentication types. No
aws-secret-access-key AWS secret key to use. Only required for some authentication types. No
aws-session-token AWS session token to use. Used in uncommon authentication scenarios. No
role-chaining Use existing credentials from the environment to assume a new role. No
audience The JWT audience when using OIDC. Used in non-default AWS partitions, like China regions. No
http-proxy An HTTP proxy to use for API calls. No
mask-aws-account-id AWS account IDs are not considered secret. Setting this will hide account IDs from output anyway. No
role-duration-seconds The assumed role duration in seconds, if assuming a role. Defaults to 1 hour (3600 seconds). Acceptable values range from 15 minutes (900 seconds) to 12 hours (43200 seconds). No
role-external-id The external ID of the role to assume. Only needed if your role requires it. No
role-session-name Defaults to "GitHubActions", but may be changed if required. No
role-skip-session-tagging Skips session tagging if set.

Extension points exported contracts — how you extend this code

CredentialsClientProps (Interface)
(no doc)
src/CredentialsClient.ts
ProxyOptions (Interface)
(no doc)
src/ProxyResolver.ts
ProfileFilePaths (Interface)
(no doc)
src/profileManager.ts
assumeRoleParams (Interface)
(no doc)
src/assumeRole.ts

Core symbols most depended-on inside this repo

run
called by 84
src/index.ts
parseIni
called by 33
src/profileManager.ts
writeProfileFiles
called by 23
src/profileManager.ts
getProfileFilePaths
called by 19
src/profileManager.ts
validateProfileName
called by 15
src/profileManager.ts
mergeProfileSection
called by 14
src/profileManager.ts
errorMessage
called by 12
src/helpers.ts
getBooleanInput
called by 11
src/helpers.ts

Shape

Function 43
Method 8
Class 4
Interface 4

Languages

TypeScript100%

Modules by API surface

src/helpers.ts26 symbols
src/profileManager.ts8 symbols
src/CredentialsClient.ts8 symbols
src/assumeRole.ts6 symbols
src/ProxyResolver.ts6 symbols
src/index.ts3 symbols
test/index.test.ts1 symbols
src/cleanup/index.ts1 symbols

Dependencies from manifests, versioned

@actions/core3.0.1 · 1×
@aws-sdk/client-sts3.1075.0 · 1×
@aws-sdk/credential-provider-env3.972.49 · 1×
@biomejs/biome2.5.0 · 1×
@smithy/node-http-handler4.8.2 · 1×
@smithy/property-provider4.4.2 · 1×
@types/node26.0.0 · 1×
@vitest/coverage-v84.1.9 · 1×
aws-sdk-client-mock4.1.0 · 1×
esbuild0.28.1 · 1×
generate-license-file4.2.1 · 1×
json-schema0.4.0 · 1×

For agents

$ claude mcp add configure-aws-credentials \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact