Skip to content

migrate all workflows to OIDC auth#418

Open
kellygavin96 wants to merge 2 commits intomasterfrom
test/oidc-auth
Open

migrate all workflows to OIDC auth#418
kellygavin96 wants to merge 2 commits intomasterfrom
test/oidc-auth

Conversation

@kellygavin96
Copy link
Copy Markdown
Contributor

@kellygavin96 kellygavin96 commented Apr 3, 2026
edited
Loading

Summary
Replaces static AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY GitHub secrets
with OIDC role assumption across all workflows. This is more secure
as it eliminates long-lived AWS credentials stored as GitHub secrets.

Changes
main.yml — switched to OIDC auth, bumped configure-aws-credentials v1 → v4 (required for OIDC), added permissions: id-token: write block (required for GitHub to issue OIDC token)
Testing
✅ CI passed on this branch
✅ AWS credentials step passes with OIDC role assumption confirmed
After this is merged
The following repo secrets can be deleted by an admin if not used in other areas of the pipeline:

AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_OIDC_ROLE_ARN must remain.

@kellygavin96 kellygavin96 marked this pull request as ready for review April 6, 2026 20:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexander-veit alexander-veit alexander-veit approved these changes

@willronchetti willronchetti Awaiting requested review from willronchetti

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kellygavin96 @alexander-veit