If you want your GitHub Actions pipeline to perform some actions in AWS, the usual way is to create an IAM user with some keys, and then to store those keys as secrets in GitHub. This is not ideal because those long-lived secrets have to be copy/pasted and can potentially be leaked. A more modern, better way is to configure your AWS account to accept GitHub as an identity provider.

First, navigate to the IAM console on your browser, and click “Add provider”, and fill in the form like so:

  • “Provider type”: “OpenID connect”
  • “Provider URL”: https://token.actions.githubusercontent.com
  • “Audience”: sts.amazonaws.com

You now need to create an IAM role for your GitHub pipeline. Create an IAM policy allowing your pipeline to perform the required actions. Ideally, follow the principle of least privilege. Then create an IAM role. AWS makes it easy for you to configure that role to be used by GitHub:

  • “Trusted entity type”: “Web identity”
  • “Identity provider”: Select the identity provider you created before
  • “Audience”: sts.amazonaws.com
  • “GitHub organization”: Type in the name of your GitHub organization
  • “GitHub repository”: Optionally type in the name of the GitHub repo that will run that particular pipeline
  • “GitHub branch”: You can restrict the role to specific branches

Attach the policy you previously created and give the role a good, descriptive name. Note down the role ARN.

Finally, you can configure your GitHub pipeline to use this IAM role. Here is an example of what such a pipeline would look like:

name: Pipeline doing stuff in AWS


  id-token: write   # This is required for requesting the JWT
  contents: read    # This is required for actions/checkout

    name: My awesome job
    runs-on: ubuntu-latest
    - name: Checkout
      uses: actions/checkout@v3

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v4
        role-to-assume: arn:aws:iam::258302884997:role/RoleForGithubActionsCmsRepo
        role-session-name: github-cms-pipeline
        aws-region: eu-west-1

    - name: Do stuff in AWS
      run: aws sts get-caller-identity

Both GitHub and AWS make it very easy to use this method, so make sure you stop copy/pasting those AWS keys moving forward!