Authenticate GitHub Actions to AWS Using OIDC | Secure IAM Role Setup (No Access Keys)

Description

Learn how to configure GitHub OIDC to securely authenticate with AWS IAM roles. Eliminate long-lived access keys in your CI/CD pipeline. In this video, we configure GitHub Actions to authenticate with AWS using OpenID Connect (OIDC). Instead of storing long-lived AWS access keys in GitHub secrets, we establish a secure trust relationship between GitHub and AWS IAM using federated identity. You will learn how to: • Create an OIDC identity provider in AWS IAM • Configure the GitHub OIDC provider URL • Set the correct audience (sts.amazonaws.com) • Create an IAM role for GitHub Actions • Configure the trust policy with token.aud and token.sub conditions • Grant least-privilege permissions to the role • Configure GitHub Actions with id-token: write • Use aws-actions/configure-aws-credentials • Assume the IAM role via JWT token exchange • Validate authentication by listing S3 buckets This setup allows GitHub Actions to securely assume an IAM role using short-lived credentials — without storing static AWS access keys. This tutorial is ideal for: • DevOps Engineers • Cloud Engineers • Platform Engineers • Security-focused CI/CD teams By the end of this video, you will have a production-ready, secure authentication mechanism between GitHub and AWS.