Cloud Automation10 min read

GitHub OIDC → AWS (No Long-Lived Keys): Cloud Automation the Right Way

How to use GitHub Actions OIDC to assume an AWS IAM role and deploy/upload artifacts without storing AWS keys. Includes least-privilege IAM, trust policy patterns, and troubleshooting tips.

By Jason TeixeiraJanuary 10, 2026
AWSIAMOIDCGitHub ActionsTerraformSecurity
Share:
On this page

Static AWS keys in CI are a footgun.

If you want cloud automation that scales (and passes security review), use OIDC-based federation:

  • GitHub Actions issues a short-lived identity token (OIDC)
  • AWS STS exchanges it for short-lived AWS credentials
  • Your workflow assumes a least-privilege role and does the work

This portfolio uses the same pattern to support Cloud telemetry mode (AWS S3) without ever embedding long-lived credentials.

The architecture

\

Reader route

article -> proof -> offer

ReadClusterProofScope

cluster

Cloud & Infrastructure

intent

Cloud Automation

route

next step

What to do with this

Turn the note into a build path.

If this topic maps to a real business problem, keep reading the cluster, study the academy path, or route the work into a scoped engagement.

Harden the infrastructureLearn the system

Continue this cluster

  1. 01Terraform Module Patterns: How I Structure IaC for Reuse->
  2. 02Docker in CI/CD: The Patterns That Cut My Pipeline Time by 82%->
  3. 03AWS Cost Optimization: How I Keep a Production Platform Under $50/Month->
Jason Teixeira
Written by
Jason Teixeira
Founder, Sage Ideas Studio · Principal Engineer
More about Jason
livebuild a1556e22026-06-19 03:29Z
// solo studio// no analytics resold// every commit human-reviewed