configure-aws-credentials: AWS authentication for GitHub Actions
GitHub Action for AWS credential resolution in workflows.
Learn more about configure-aws-credentials
configure-aws-credentials is a GitHub Action that establishes AWS authentication within workflow environments by setting credential-related environment variables. The action implements multiple credential resolution paths including OpenID Connect token exchange, static credential re-export, and AWS STS AssumeRole operations. It leverages the AWS JavaScript SDK credential resolution flow for Node.js, allowing workflows to access AWS resources through various identity mechanisms. Common deployment patterns include CI/CD pipelines requiring AWS API access, infrastructure automation, and deployment workflows that interact with AWS services.
Multiple authentication methods
Supports five distinct authentication scenarios including OIDC token exchange, static IAM credentials, STS AssumeRole with static credentials, web identity token flows, and credential chaining. This flexibility accommodates different security postures and organizational requirements.
OIDC-based temporary credentials
Implements GitHub OIDC provider integration to obtain temporary credentials without storing long-lived secrets in repositories. The action uses federated identity with configurable trust policies scoped to specific repositories and branches.
AWS SDK credential resolution integration
Operates within the AWS JavaScript SDK's credential resolution chain, allowing the action to work alongside other credential sources and respecting standard AWS credential precedence rules. This design enables role chaining and credential composition patterns.
// In your GitHub Actions workflow JavaScript step
import * as core from '@actions/core';
import { STSClient, GetCallerIdentityCommand } from '@aws-sdk/client-sts';
// Credentials are already set by configure-aws-credentials action
const stsClient = new STSClient({ region: 'us-east-1' });
const identity = await stsClient.send(new GetCallerIdentityCommand({}));
core.info(`Authenticated as: ${identity.Account}`);Adds proxy bypass and global timeout configuration; no breaking changes or new requirements.
- –Configure no-proxy exceptions for AWS API calls using the new no-proxy input parameter.
- –Set global timeout limits on credential operations to prevent indefinite hangs in CI workflows.
Breaking change: invalid boolean inputs now fail instead of defaulting; adds OIDC skip option and account ID allowlist.
- –Review boolean inputs—invalid values (e.g., typos) now error instead of silently coercing; see issue #1445 for behavior details.
- –Use new `skip-oidc` input to bypass OIDC token exchange or `account-id-allowlist` to restrict assumed account IDs.
Documentation-only patch updating README version references; no functional changes or breaking updates.
- –Update internal documentation to reflect v4.3.1 version number in README files.
- –No code changes, dependency updates, or action behavior modifications are included in this release.
Top in Cloud & DevOps
Related Repositories
Discover similar tools and frameworks used by developers
compose
YAML-defined container lifecycle management and orchestration tool.
OpenLens
Community-built Kubernetes IDE without authentication requirements.
upload-artifact
Store workflow files as versioned zip artifacts.
build-push-action
GitHub Action for building and publishing Docker images.
node_exporter
Collects Unix system metrics for Prometheus monitoring.