In the GitHub Actions workflow, add permissions: id-token: write to the job so the runner can request an OIDC token from GitHub's token endpoint
Create an IAM OIDC identity provider in AWS with the GitHub OIDC issuer URL (https://token.actions.githubusercontent.com) and verify the thumbprint list matches the current GitHub documentation
Create an IAM role with a trust policy that allows sts:AssumeRoleWithWebIdentity from the GitHub OIDC provider, scoping the Condition to sub claim values matching the specific repository or branch (e.g., repo:org/repo:ref:refs/heads/main)
In the workflow, use the official aws-actions/configure-aws-credentials action with the role ARN and region; the action exchanges the OIDC token for temporary STS credentials automatically
Validate the setup by running aws sts get-caller-identity in a subsequent step and confirming the assumed role ARN
Do not store AWS access keys in GitHub secrets; the entire point is to use short-lived credentials — audit your secrets list periodically to catch accidental key storage
Known gotchas
The IAM OIDC thumbprint list must be kept current; GitHub may rotate its TLS certificate, requiring the thumbprint to be updated to avoid authentication failures
Overly broad trust policy conditions (e.g., omitting the repo or ref condition) allow any GitHub repository's workflow to assume the role; always scope to the minimum required repository and optionally branch
The temporary credentials have a session duration subject to role's MaxSessionDuration setting; long-running jobs may need to be structured to refresh credentials before expiry
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp