Securely Access Your AWS Resources From Github Actions

Learn how to generate short-lived credentials to access your AWS account from Github Action workflows

Setting up your AWS account

💡 TL;DR; I created a CloudFormation quick-create link that you can use to automate the following steps. See at the bottom of this article. If you want to know how it works, and what CloudFormation is going to do, keep reading this section.

💡 You will need to do this step only once per AWS account.

"StringLike": {
"": "repo:[your-org]/[your-repo]:*"

✍️ Note: You can take this even further and reduce the scope, by using git references, to a branch or tag only, for example. eg: repo:[your-org]/[your-repo]:ref:refs/heads/master

"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::1234567890:oidc-provider/"
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"": ""
"StringLike": {
"": "repo:[your-org]/[your-repo]:*"

💡 You can create different roles per account and use a different one for each use case. For example, one per application, per usage (configurations, deployment, integration tests), etc. You can play with that to reduce the scope of each session even more.

Configure Github action workflow

id-token: write # required to use OIDC authentication
contents: read # required to checkout the code from the repo
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v1
role-to-assume: arn:aws:iam::1234567890:role/your-role-arn
role-duration-seconds: 900 # the ttl of the session, in seconds.
aws-region: us-east-1 # use your region here.
# You can now execute commands that use the credentials👇
- name: Serverless deploy
run: sls deploy --stage dev

💡 If you want to take security even further, you can also keep your role’s ARN used in role-to-assume in a Github secret.


✍️ Note: The created role will not have any Policy attached to it. You will still need to attach the ones that your workflow needs to it after that.




Twitter @Benoit_Boure — Need help? Hire me for a one-on-one session

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store