{"id":13528323,"url":"https://github.com/aws-actions/configure-aws-credentials","last_synced_at":"2026-02-05T00:02:17.927Z","repository":{"id":37549277,"uuid":"220391287","full_name":"aws-actions/configure-aws-credentials","owner":"aws-actions","description":"Configure AWS credential environment variables for use in other GitHub Actions.","archived":false,"fork":false,"pushed_at":"2026-01-28T00:21:14.000Z","size":69813,"stargazers_count":2860,"open_issues_count":28,"forks_count":555,"subscribers_count":49,"default_branch":"main","last_synced_at":"2026-01-28T12:49:36.138Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aws-actions.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2019-11-08T05:11:44.000Z","updated_at":"2026-01-28T00:02:50.000Z","dependencies_parsed_at":"2023-01-05T04:52:00.276Z","dependency_job_id":"8703de7b-db34-4a39-b277-1f15bd4c3be1","html_url":"https://github.com/aws-actions/configure-aws-credentials","commit_stats":{"total_commits":947,"total_committers":201,"mean_commits":4.711442786069652,"dds":"0.48574445617740236","last_synced_commit":"97834a484a5ab3c40fa9e2eb40fcf8041105a573"},"previous_names":[],"tags_count":58,"template":false,"template_full_name":null,"purl":"pkg:github/aws-actions/configure-aws-credentials","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aws-actions%2Fconfigure-aws-credentials","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aws-actions%2Fconfigure-aws-credentials/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aws-actions%2Fconfigure-aws-credentials/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aws-actions%2Fconfigure-aws-credentials/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aws-actions","download_url":"https://codeload.github.com/aws-actions/configure-aws-credentials/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aws-actions%2Fconfigure-aws-credentials/sbom","scorecard":{"id":219249,"data":{"date":"2025-08-11","repo":{"name":"github.com/aws-actions/configure-aws-credentials","commit":"209f2a4450bb4b277e1dedaff40ad2fd8d4d0a4c"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":6.6,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":5,"reason":"Found 10/17 approved changesets -- score normalized to 5","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/automerge-approved-prs.yml:9","Info: jobLevel 'contents' permission set to 'read': .github/workflows/close-stale-issues.yml:13","Info: jobLevel 'contents' permission set to 'read': .github/workflows/package-dist.yml:17","Warn: no topLevel permission defined: .github/workflows/automerge-approved-prs.yml:1","Warn: no topLevel permission defined: .github/workflows/cawsc-test.yml:1","Warn: no topLevel permission defined: .github/workflows/close-stale-issues.yml:1","Warn: no topLevel permission defined: .github/workflows/closed-issue-message.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/dependabot-autoapprove.yml:9","Warn: no topLevel permission defined: .github/workflows/handle-stale-discussions.yml:1","Warn: no topLevel permission defined: .github/workflows/issue-regression-labeler.yml:1","Warn: no topLevel permission defined: .github/workflows/package-dist.yml:1","Warn: no topLevel permission defined: .github/workflows/pull-request-lint.yml:1","Warn: topLevel 'contents' permission set to 'write': .github/workflows/release-please.yml:10","Warn: no topLevel permission defined: .github/workflows/tests-unit.yml:1"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/automerge-approved-prs.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/automerge-approved-prs.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/automerge-approved-prs.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/automerge-approved-prs.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/cawsc-test.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/cawsc-test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/close-stale-issues.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/close-stale-issues.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/closed-issue-message.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/closed-issue-message.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/dependabot-autoapprove.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/dependabot-autoapprove.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependabot-autoapprove.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/dependabot-autoapprove.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/dependabot-autoapprove.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/dependabot-autoapprove.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/dependabot-autoapprove.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/dependabot-autoapprove.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/handle-stale-discussions.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/handle-stale-discussions.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/issue-regression-labeler.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/issue-regression-labeler.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/package-dist.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/package-dist.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/package-dist.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/package-dist.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/package-dist.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/package-dist.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pull-request-lint.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/pull-request-lint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-please.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/release-please.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-please.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/release-please.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-please.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/release-please.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-please.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/release-please.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests-unit.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/tests-unit.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests-unit.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/tests-unit.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/tests-unit.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/tests-unit.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests-unit.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/tests-unit.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests-unit.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/tests-unit.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/tests-unit.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/aws-actions/configure-aws-credentials/tests-unit.yml/main?enable=pin","Info:   0 out of   8 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of  17 third-party GitHubAction dependencies pinned","Info:   1 out of   1 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/aws-actions/.github/SECURITY.md:1","Info: Found linked content: github.com/aws-actions/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/aws-actions/.github/SECURITY.md:1","Info: Found text in security policy: github.com/aws-actions/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"SAST","score":8,"reason":"SAST tool is not run on all commits -- score normalized to 8","details":["Warn: 19 commits out of 23 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-17T02:10:43.986Z","repository_id":37549277,"created_at":"2025-08-17T02:10:43.990Z","updated_at":"2025-08-17T02:10:43.990Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29101790,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-04T22:44:52.815Z","status":"ssl_error","status_checked_at":"2026-02-04T22:44:16.428Z","response_time":62,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T06:02:25.560Z","updated_at":"2026-02-05T00:02:17.920Z","avatar_url":"https://github.com/aws-actions.png","language":"TypeScript","funding_links":[],"categories":["TypeScript","others","📖 Category Details","Tools"],"sub_categories":["**5. Infrastructure \u0026 Operations (DevOps/ IaC)**"],"readme":"Configure AWS Credentials\n=========================\nAuthenticate to AWS in GitHub Actions! Works especially well with [AWS Secrets\nManager](https://github.com/aws-actions/aws-secretsmanager-get-secrets).\n\nQuick Start (OIDC, recommended)\n-------------------------------\n1. Create an IAM Identity Provider in your AWS account for GitHub OIDC. (See \n[OIDC configuration](#oidc-configuration) below for details.)\n2. Create an IAM Role in your AWS account with a trust policy that allows GitHub\nActions to assume it:\n    \u003cdetails\u003e\n    \u003csummary\u003eGitHub OIDC Trust Policy\u003c/summary\u003e\n\n    ```json\n    {\n      \"Version\": \"2012-10-17\",\n      \"Statement\": [\n        {\n          \"Effect\": \"Allow\",\n          \"Principal\": {\n            \"Federated\": \"arn:aws:iam::\u003cAWS_ACCOUNT_ID\u003e:oidc-provider/token.actions.githubusercontent.com\"\n          },\n          \"Action\": \"sts:AssumeRoleWithWebIdentity\",\n          \"Condition\": {\n            \"StringEquals\": {\n              \"token.actions.githubusercontent.com:aud\": \"sts.amazonaws.com\",\n              \"token.actions.githubusercontent.com:sub\": \"repo:\u003cGITHUB_ORG\u003e/\u003cGITHUB_REPOSITORY\u003e:ref:refs/heads/\u003cGITHUB_BRANCH\u003e\"\n            }\n          }\n        }\n      ]\n    }\n    ```\n    \u003c/details\u003e\n3. Attach permissions to the IAM Role that allow it to access the AWS resources \nyou need.\n4. Add the following to your GitHub Actions workflow:\n    \u003cdetails\u003e\n    \u003csummary\u003eExample Workflow\u003c/summary\u003e\n\n    ```yaml\n    # Need ID token write permission to use OIDC\n    permissions:\n      id-token: write\n    jobs:\n      run_job_with_aws:\n        runs-on: ubuntu-latest\n        steps:\n          - name: Configure AWS Credentials\n            uses: aws-actions/configure-aws-credentials@main # Or a specific version\n            with:\n              role-to-assume: \u003cRole ARN you created in step 2\u003e\n              aws-region: \u003cAWS Region you want to use\u003e\n          - name: Additional steps\n            run: |\n              # Your commands that require AWS credentials\n              aws sts get-caller-identity \n    ```\n    \u003c/details\u003e\nThat's it! Your GitHub Actions workflow can now access AWS resources using the\nIAM Role you created. Other authentication scenarios are also supported (see\nbelow).\n\nSecurity Recommendations\n------------------------\n* Use temporary credentials when possible. OIDC is recommended because it\n  provides temporary credentials and it's easy to set up.\n* Do not store credentials in your repository's code. Consider using\n  [git-secrets](https://github.com/awslabs/git-secrets) to prevent committing\n  secrets to your repository.\n* [Grant least privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege)\n  to your workflows. Grant only those permissions that are necessary for the\n  workflow to run.\n* [Monitor the activity](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#keep-a-log)\n  of the credentials used in workflows.\n* Periodically rotate any long-lived credentials that you use.\n* Store sensitive information in a secure way, such as using\n  [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) or\n  [GitHub Secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets).\n\nOther Authentication Scenarios\n------------------------------\nThis action supports five different authentication methods that are configured\nby specifying different inputs.\n\n1. Use a `core.getIDToken()` call to authenticate via OIDC.\n2. Re-export existing long-lived IAM credentials (access key ID and secret\n   access key) as environment variables.\n3. Use static credentials stored in GitHub Secrets to fetch temporary\n   credentials via STS AssumeRole.\n4. Use a Web Identity Token to fetch temporary credentials via STS\n   AssumeRoleWithWebIdentity.\n5. Use credentials stored in the Action environment to fetch temporary\n   credentials via STS AssumeRole.\n\nBecause we use the AWS JavaScript SDK, we always will use the [credential\nresolution flow for Node.js](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/setting-credentials-node.html).\nDepending on your inputs, the action might override parts of this flow.\n\n\u003cdetails\u003e\n\u003csummary\u003eInputs and their effects on the credential resolution flow\u003c/summary\u003e\n\n| **Identity Used**                        | `aws-access-key-id` | `role-to-assume` | `web-identity-token-file` | `role-chaining` |\n| ---------------------------------------- | ------------------- | ---------------- | ------------------------- | --------------- |\n| [✅ Recommended] GitHub OIDC             |                     | ✔                |                           |                 |\n| IAM User (no AssumeRole)                 | ✔                   |                  |                           |                 |\n| AssumeRole using static IAM credentials  | ✔                   | ✔                |                           |                 |\n| AssumeWithWebIdentity use a token file   |                     | ✔                | ✔                         |                 |\n| AssumeRole using existing credentials    |                     | ✔                |                           | ✔               |\n\n*Note: `role-chaining` is not always necessary to use existing credentials.\nIf you're getting a \"Credentials loaded by the SDK do not match\" error,\ntry enabling this option.*\n\u003c/details\u003e\n\nAdditionally, **`aws-region`** is always required.\n\n*Note: If you use GitHub Enterprise Server, you must use the you may need to\nadjust examples here to match your environment.*\n\nAdditional Options\n------------------\n### Options\nSee [action.yml](./action.yml) for more detail.\n\u003cdetails\u003e\n\u003csummary\u003eOptions list and descriptions\u003c/summary\u003e\n\n|          Option           |                                            Description                                            | Required |\n|---------------------------|---------------------------------------------------------------------------------------------------|----------|\n| aws-region                | Which AWS region to use                                                                           |    Yes   |\n| role-to-assume            | Role for which to fetch credentials. Only required for some authentication types.                 |    No    |\n| aws-access-key-id         | AWS access key to use. Only required for some authentication types.                               |    No    |\n| aws-secret-access-key     | AWS secret key to use. Only required for some authentication types.                               |    No    |\n| aws-session-token         | AWS session token to use. Used in uncommon authentication scenarios.                              |    No    |\n| role-chaining             | Use existing credentials from the environment to assume a new role.                               |    No    |\n| audience                  | The JWT audience when using OIDC. Used in non-default AWS partitions, like China regions.         |    No    |\n| http-proxy                | An HTTP proxy to use for API calls.                                                               |    No    |\n| mask-aws-account-id       | AWS account IDs are not considered secret. Setting this will hide account IDs from output anyway. |    No    |\n| role-duration-seconds     | The assumed role duration in seconds, if assuming a role. Defaults to 1 hour (3600 seconds). Acceptable values range from 15 minutes (900 seconds) to 12 hours (43200 seconds). |    No    |\n| role-external-id          | The external ID of the role to assume. Only needed if your role requires it.                      |    No    |\n| role-session-name         | Defaults to \"GitHubActions\", but may be changed if required.                                      |    No    |\n| role-skip-session-tagging | Skips session tagging if set.                                                                     |    No    |\n| transitive-tag-keys       | Define a list of transitive tag keys to pass when assuming a role.                                |    No    |\n| inline-session-policy     | You may further restrict the assumed role policy by defining an inline policy here.               |    No    |\n| managed-session-policies  | You may further restrict the assumed role policy by specifying a managed policy here.             |    No    |\n| output-credentials        | When set, outputs fetched credentials as action step output. (Outputs aws-access-key-id, aws-secret-access-key, aws-session-token, aws-account-id, authenticated-arn, and aws-expiration). Defaults to false.                   |    No    |\n| output-env-credentials       | When set, outputs fetched credentials as environment variables (AWS_REGION, AWS_DEFAULT_REGION, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN). Defaults to true. Set to false if you need to avoid setting/changing env variables. You'd probably want to use output-credentials if you disable this. (NOTE: Setting to false will prevent the aws-account-id from being exported as a step output). |    No    |\n| unset-current-credentials | When set, attempts to unset any existing credentials in your action runner.                       |    No    |\n| disable-retry             | Disabled retry/backoff logic for assume role calls. By default, retries are enabled.              |    No    |\n| retry-max-attempts        | Limits the number of retry attempts before giving up. Defaults to 12.                             |    No    |\n| special-characters-workaround | Uncommonly, some environments cannot tolerate special characters in a secret key. This option will retry fetching credentials until the secret access key does not contain special characters. This option overrides disable-retry and retry-max-attempts. | No |\n| use-existing-credentials  | When set, the action will check if existing credentials are valid and exit if they are. Defaults to false. |    No    |\n| allowed-account-ids       | A comma-delimited list of expected AWS account IDs. The action will fail if we receive credentials for the wrong account. |    No    |\n| force-skip-oidc           | When set, the action will skip using GitHub OIDC provider even if the id-token permission is set. |    No    |\n| action-timeout-s          | Global timeout for the action in seconds. If set to a value greater than 0, the action will fail if it takes longer than this time to complete. |    No    |\n\u003c/details\u003e\n\n#### Adjust the retry mechanism\nYou can configure retry settings for if the STS call fails. By default, we\nretry with exponential backoff `12` times. You can disable this behavior\naltogether by setting the `disable-retry` input to `true`, or you can configure\nthe number of times it retries with the `retry-max-attempts` input.\n\n#### Mask account ID\nYour account ID is not masked by default in workflow logs. You can set the\n`mask-aws-account-id` input to `true` to mask your account ID in workflow logs\nif desired.\n\n#### Unset current credentials\nSometimes, existing credentials in your runner can get in the way of the\nintended outcome. You can set the `unset-current-credentials` input to `true` to\nwork around this issue.\n\n#### Use an HTTP proxy\n\nIf need use an HTTP proxy you can set it in the action manually. Additionally\nthis action will always consider the `HTTP_PROXY` environment variable.\n\n\u003cdetails\u003e\n\u003csummary\u003eProxy configuration\u003c/summary\u003e\n\nManually configured proxy:\n```yaml\nuses: aws-actions/configure-aws-credentials@v5.1.1\nwith:\n  aws-region: us-east-2\n  role-to-assume: my-github-actions-role\n  http-proxy: \"http://companydomain.com:3128\"\n```\n\nProxy configured in the environment variable:\n```bash\n# Your environment configuration\nHTTP_PROXY=\"http://companydomain.com:3128\"\n```\n\u003c/details\u003e\n\n#### Special characters in AWS_SECRET_ACCESS_KEY\nSome edge cases are unable to properly parse an `AWS_SECRET_ACCESS_KEY` if it\ncontains special characters. For more information, please see the\n[AWS CLI documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-troubleshooting.html#tshoot-signature-does-not-match).\nIf you set the `special-characters-workaround` option, this action will\ncontinually retry fetching credentials until we get one that does not have\nspecial characters. This option overrides the `disable-retry` and\n`retry-max-attempts` options. We recommend that you do not enable this option\nunless required, because retrying APIs infinitely until they succeed is not best\npractice.\n\nSession Naming and Policies\n---------------------------\nThe default session name is \"GitHubActions\", and you can modify it by specifying\nthe desired name in `role-session-name`.\n\n*Note: you might find it helpful to set the `role-session-name` to `${{ github.run_id }}` \nso as to clarify in audit logs which AWS actions were performed by which workflow \nrun.*\n\nThe session will be tagged with the\nfollowing tags: (Refer to [GitHub's documentation for `GITHUB_` environment\nvariable definitions](https://docs.github.com/en/actions/reference/workflows-and-actions/variables#default-environment-variables))\n\n| Key        | Value             |\n| ---------- | ----------------- |\n| GitHub     | \"Actions\"         |\n| Repository | GITHUB_REPOSITORY |\n| Workflow   | GITHUB_WORKFLOW   |\n| Action     | GITHUB_ACTION     |\n| Actor      | GITHUB_ACTOR      |\n| Branch     | GITHUB_REF        |\n| Commit     | GITHUB_SHA        |\n\n_Note: all tag values must conform to\n[the tag requirements](https://docs.aws.amazon.com/STS/latest/APIReference/API_Tag.html).\nParticularly, `GITHUB_WORKFLOW` will be truncated if it's too long. If\n`GITHUB_ACTOR` or `GITHUB_WORKFLOW` contain invalid characters, the characters\nwill be replaced with an '*'._\n\nThe action will use session tagging by default unless you are using OIDC.\n\nTo [forward session tags to subsequent sessions in a role chain](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining), \nyou can use the `transitive-tag-keys` input to specify the keys of the tags to be passed.\n\n_Note that all subsequent roles in the chain must have `role-skip-session-tagging` set to `true`_\n```yaml\n      uses: aws-actions/configure-aws-credentials@v5\n      with:\n        transitive-tag-keys: |\n          Repository\n          Workflow\n          Action\n          Actor\n```\n\n### Session policies\nSession policies are not required, but they allow you to limit the scope of the\nfetched credentials without making changes to IAM roles. You can specify inline\nsession policies right in your workflow file, or refer to an existing managed\nsession policy by its ARN.\n\n#### Inline session policies\nAn IAM policy in stringified JSON format that you want to use as an inline\nsession policy. Depending on preferences, the JSON could be written on a single\nline.\n\n\u003cdetails\u003e\n\u003csummary\u003eInline session policy examples\u003c/summary\u003e\n\n```yaml\n      uses: aws-actions/configure-aws-credentials@v5.1.1\n      with:\n         inline-session-policy: '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:List*\",\"Resource\":\"*\"}]}'\n```\nOr we can have a nicely formatted JSON as well:\n```yaml\n      uses: aws-actions/configure-aws-credentials@v5.1.1\n      with:\n         inline-session-policy: \u003e-\n          {\n           \"Version\": \"2012-10-17\",\n           \"Statement\": [\n            {\n             \"Sid\":\"Stmt1\",\n             \"Effect\":\"Allow\",\n             \"Action\":\"s3:List*\",\n             \"Resource\":\"*\"\n            }\n           ]\n          }\n```\n\u003c/details\u003e\n\n#### Managed session policies\nThe Amazon Resource Names (ARNs) of the IAM managed policies that you want to\nuse as managed session policies. The policies must exist in the same account as\nthe role.\n\n\u003cdetails\u003e\n\u003csummary\u003eManaged session policy examples\u003c/summary\u003e\n\n```yaml\n      uses: aws-actions/configure-aws-credentials@v5.1.1\n      with:\n         managed-session-policies: arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess\n```\nAnd we can pass multiple managed policies likes this:\n```yaml\n      uses: aws-actions/configure-aws-credentials@v5.1.1\n      with:\n         managed-session-policies: |\n          arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess\n          arn:aws:iam::aws:policy/AmazonS3OutpostsReadOnlyAccess\n```\n\u003c/details\u003e\n\nOIDC Configuration\n-------------------\nWe recommend using [GitHub's OIDC\nprovider](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)\nto get short-lived AWS credentials needed for your actions. When using OIDC, you\nconfigure IAM to accept JWTs from GitHub's OIDC endpoint. This action will\nthen create a JWT unique to the workflow run using the OIDC endpoint, and it\nwill use the JWT to assume the specified role with short-term credentials. \n\nTo get this to work\n1. Configure your workflow to use the `id-token: write` permission.\n2. Configure your audience, if required.\n3. In your AWS account, configure IAM to trust GitHub's OIDC identity provider.\n4. Configure an IAM role with appropriate claim limits and permission scope.\n\n   *Note*: Naming your role \"GitHubActions\" has been reported to not work. See\n   [#953](https://github.com/aws-actions/configure-aws-credentials/issues/953).\n\n5. Specify that role's ARN when setting up this action.\n\n### OIDC Audience\n\nWhen the JWT is created, an audience needs to be specified. Normally, you would\nuse `sts.amazonaws.com`, and this action uses this by default if you don't\nspecify one. This will work for most cases. Changing the default audience may\nbe necessary when using non-default AWS partitions, such as China regions.\nYou can specify the audience through the `audience` input:\n\n```yaml\n    - name: Configure AWS Credentials for China region audience\n      uses: aws-actions/configure-aws-credentials@v5.1.1\n      with:\n        audience: sts.amazonaws.com.cn\n        aws-region: cn-northwest-1\n        role-to-assume: arn:aws-cn:iam::123456789100:role/my-github-actions-role\n```\n\n### Configuring IAM to trust GitHub\nTo use GitHub's OIDC provider, you must first set up federation in your AWS\naccount. This involves creating an IAM Identity Provider that trusts GitHub's\nOIDC endpoint. You can create an IAM Identity Provider in the AWS Management \nConsole by specifying the following details:\n- **Provider Type**: OIDC\n- **Provider URL**: `https://token.actions.githubusercontent.com`\n- **Audience**: `sts.amazonaws.com` (or your custom audience if you specified\n  one in the `audience` input)\n\nPrior versions of this documentation gave instructions for specifying the\ncertificate fingerprint, but this is no longer necessary. The thumbprint, if \nspecified, will be ignored.\n\nYou can also create the IAM Identity Provider using the AWS CLI:\n\n```bash\naws iam create-open-id-connect-provider \\\n    --url https://token.actions.githubusercontent.com \\\n    --client-id-list sts.amazonaws.com \n```\n\n### Claims and scoping permissions\nTo align with the Amazon IAM best practice of [granting least\nprivilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege),\nthe assume role policy document should contain a\n[`Condition`](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html)\nthat specifies a subject (`sub`) allowed to assume the role. [GitHub also\nrecommends](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#defining-trust-conditions-on-cloud-roles-using-oidc-claims)\nfiltering for the correct audience (`aud`). See [AWS IAM\ndocumentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif)\non which claims you can filter for in your trust policies.\n\nWithout a subject (`sub`) condition, any GitHub user or repository could\npotentially assume the role. The subject can be scoped to a GitHub organization\nand repository as shown in the CloudFormation template. However, scoping it down\nto your org and repo may cause the role assumption to fail in some cases. See\n[Example subject claims](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims)\nfor specific details on what the subject value will be depending on your\nworkflow. You can also [customize your subject claim](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-token-claims)\nif you want full control over the information you can filter for in your trust\npolicy. If you aren't sure what your subject (`sub`) key is, you can add the\n[`actions-oidc-debugger`](https://github.com/github/actions-oidc-debugger)\naction to your workflow to see the value of the subject (`sub`) key, as well as\nother claims.\n\nAdditional claim conditions can be added for higher specificity as explained in\nthe [GitHub documentation](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect).\nDue to implementation details, not every OIDC claim is presently supported by\nIAM.\n\n### Further information about OIDC\n\nFor further information on OIDC and GitHub Actions, please see:\n\n* [AWS docs: Creating OpenID Connect (OIDC) identity providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)\n* [AWS docs: IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html)\n* [GitHub docs: About security hardening with OpenID Connect](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)\n* [GitHub docs: Configuring OpenID Connect in Amazon Web Services](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)\n* [GitHub changelog: GitHub Actions: Secure cloud deployments with OpenID Connect](https://github.blog/changelog/2021-10-27-github-actions-secure-cloud-deployments-with-openid-connect/)\n\nExamples\n--------\n\n### AssumeRoleWithWebIdentity\n```yaml\n    - name: Configure AWS Credentials\n      uses: aws-actions/configure-aws-credentials@v5.1.1\n      with:\n        aws-region: us-east-2\n        role-to-assume: arn:aws:iam::123456789100:role/my-github-actions-role\n        role-session-name: MySessionName\n```\nIn this example, the Action will load the OIDC token from the GitHub-provided\nenvironment variable and use it to assume the role\n`arn:aws:iam::123456789100:role/my-github-actions-role` with the session name\n`MySessionName`.\n\n### AssumeRole with role previously assumed by action in same workflow\n```yaml\n    - name: Configure AWS Credentials\n      uses: aws-actions/configure-aws-credentials@v5.1.1\n      with:\n        aws-region: us-east-2\n        role-to-assume: arn:aws:iam::123456789100:role/my-github-actions-role\n        role-session-name: MySessionName\n    - name: Configure other AWS Credentials\n      uses: aws-actions/configure-aws-credentials@v5.1.1\n      with:\n        aws-region: us-east-2\n        role-to-assume: arn:aws:iam::987654321000:role/my-second-role\n        role-session-name: MySessionName\n        role-chaining: true\n```\nIn this two-step example, the first step will use OIDC to assume the role\n`arn:aws:iam::123456789100:role/my-github-actions-role` just as in the prior\nexample. Following that, a second step will use this role to assume a different\nrole, `arn:aws:iam::987654321000:role/my-second-role`.\n\nNote that the trust relationship/trust policy of the second role must grant the permissions `sts:AssumeRole` and `sts:TagSession` to the first role. (Or, alternatively, the `TagSession` permission can be omitted if you are using the `role-skip-session-tagging: true` flag for the second step.)\n\n### AssumeRole with static IAM credentials in repository secrets\n```yaml\n    - name: Configure AWS Credentials\n      uses: aws-actions/configure-aws-credentials@v5.1.1\n      with:\n        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}\n        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}\n        aws-region: us-east-2\n        role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}\n        role-external-id: ${{ secrets.AWS_ROLE_EXTERNAL_ID }}\n        role-duration-seconds: 1200\n        role-session-name: MySessionName\n```\nIn this example, the secret `AWS_ROLE_TO_ASSUME` contains a string like\n`arn:aws:iam::123456789100:role/my-github-actions-role`.  To assume a role in\nthe same account as the static credentials, you can simply specify the role\nname, like `role-to-assume: my-github-actions-role`.\n\n### Retrieving credentials from step output, AssumeRole with temporary credentials\n```yaml\n    - name: Configure AWS Credentials 1\n      id: creds\n      uses: aws-actions/configure-aws-credentials@v5.1.1\n      with:\n        aws-region: us-east-2\n        role-to-assume: arn:aws:iam::123456789100:role/my-github-actions-role\n        output-credentials: true\n    - name: get caller identity 1\n      run: |\n        aws sts get-caller-identity\n    - name: Configure AWS Credentials 2\n      uses: aws-actions/configure-aws-credentials@v5.1.1\n      with:\n        aws-region: us-east-2\n        aws-access-key-id: ${{ steps.creds.outputs.aws-access-key-id }}\n        aws-secret-access-key: ${{ steps.creds.outputs.aws-secret-access-key }}\n        aws-session-token: ${{ steps.creds.outputs.aws-session-token }}\n        role-to-assume: arn:aws:iam::123456789100:role/my-other-github-actions-role\n    - name: get caller identity2\n      run: |\n        aws sts get-caller-identity\n```\nThis example shows that you can reference the fetched credentials as outputs if\n`output-credentials` is set to true. This example also shows that you can use\nthe `aws-session-token` input in a situation where session tokens are fetched\nand passed to this action.\n\nVersioning\n----------\nStarting with version 5.0.0, this action uses semantic-style release tags and\n[immutable releases](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases).\nA floating version tag (vN) is also provided for convenience: this tag will\nmove to the latest major version (vN -\u003e vN.2.1, vM -\u003e vM.0.0, etc.).\n\nLicense\n-------\nThis code is made available under the MIT license.\n\nSecurity Disclosures\n--------------------\nIf you would like to report a potential security issue in this project, please\ndo not create a GitHub issue. Instead, please follow the instructions\n[here](https://aws.amazon.com/security/vulnerability-reporting/) or\n[email AWS security](mailto:aws-security@amazon.com) directly.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faws-actions%2Fconfigure-aws-credentials","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faws-actions%2Fconfigure-aws-credentials","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faws-actions%2Fconfigure-aws-credentials/lists"}