Add `id-token: write` permission to the GitHub Actions job
For AWS: configure an IAM OIDC identity provider with issuer `https://token.actions.githubusercontent.com` and create an IAM role with a trust policy that matches your repo's subject claim (`repo:<org>/<repo>:ref:refs/heads/main`)
Use the official `aws-actions/configure-aws-credentials` action with `role-to-assume` to exchange the OIDC token for temporary AWS credentials
For GCP: create a Workload Identity Pool and Provider; use `google-github-actions/auth` to exchange the token for a GCP access token
Validate the assumed identity in your pipeline by calling the cloud provider's identity API and confirming the role/service account matches expectations
Known gotchas
The OIDC subject claim includes branch, tag, or PR context; trust policies must be scoped tightly (e.g., only `refs/heads/main`) to prevent feature branches from assuming production roles
OIDC tokens are short-lived (default 60 minutes on GitHub); long-running jobs that need cloud credentials beyond that window must re-request credentials mid-job
Some cloud providers differentiate between environment-level and branch-level claims; using GitHub Environments adds an `environment:` component to the subject claim that must be included in the trust policy
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp