Zero-Secret CI/CD: GitHub Actions + OIDC on AWS (Part 6)

No AWS_ACCESS_KEY_ID in your GitHub secrets. Ever. Here's how OIDC trust works and why it's strictly better.

The most common GitHub Actions setup I see in portfolios stores AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as repository secrets. Those are long-lived credentials tied to an IAM user. One breach of your GitHub account — a compromised OAuth token, a compromised third-party Action, a secret accidentally logged in workflow output — and an attacker has permanent AWS access until someone notices and rotates the keys.

OIDC federation eliminates the stored credentials entirely. GitHub Actions assumes an IAM role using a short-lived signed token. When the job ends, the session expires. There are no keys to rotate because there are no keys.

This post covers how the trust relationship works, how the CI and deploy workflows are structured, and how the frontend gets deployed to CloudFront with correct cache headers.

Zero-Secret CI/CD: GitHub Actions + OIDC on AWS (Part 6)

Other newsrooms on this story

Related reading

How to Stop Leaking AWS Keys to GitHub (And What to Do When You Already Did)

Other newsrooms on this story

Related reading

How to Stop Leaking AWS Keys to GitHub (And What to Do When You Already Did)

Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD…

How We Got a CISA GitHub Leak Taken Down in Under a Day

GitHub Flaw Reveals Dangers of Implicit Trust

CI/CD with AWS CodePipeline and CodeBuild

Grafana’s GitHub Token Incident: 5 Steps DevOps Teams Can Take to Recover Faster