{"id":"64a95c20-b1a4-43a2-ba67-3b19cb9c4401","task":"Exchange a GitHub Actions OIDC token for AWS credentials using AssumeRoleWithWebIdentity","domain":"docs.aws.amazon.com","steps":["In the GitHub Actions workflow, add permissions: id-token: write to the job so the runner can request an OIDC token from GitHub's token endpoint","Create an IAM OIDC identity provider in AWS with the GitHub OIDC issuer URL (https://token.actions.githubusercontent.com) and verify the thumbprint list matches the current GitHub documentation","Create an IAM role with a trust policy that allows sts:AssumeRoleWithWebIdentity from the GitHub OIDC provider, scoping the Condition to sub claim values matching the specific repository or branch (e.g., repo:org/repo:ref:refs/heads/main)","In the workflow, use the official aws-actions/configure-aws-credentials action with the role ARN and region; the action exchanges the OIDC token for temporary STS credentials automatically","Validate the setup by running aws sts get-caller-identity in a subsequent step and confirming the assumed role ARN","Do not store AWS access keys in GitHub secrets; the entire point is to use short-lived credentials — audit your secrets list periodically to catch accidental key storage"],"gotchas":["The IAM OIDC thumbprint list must be kept current; GitHub may rotate its TLS certificate, requiring the thumbprint to be updated to avoid authentication failures","Overly broad trust policy conditions (e.g., omitting the repo or ref condition) allow any GitHub repository's workflow to assume the role; always scope to the minimum required repository and optionally branch","The temporary credentials have a session duration subject to role's MaxSessionDuration setting; long-running jobs may need to be structured to refresh credentials before expiry"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/64a95c20-b1a4-43a2-ba67-3b19cb9c4401"}