Deploy a VPC + Subnet using AWS CLI — no long-lived credentials
Without OIDC you store AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as GitHub secrets — long-lived credentials that can leak. With OIDC, GitHub and AWS trust each other via short-lived tokens. No keys. No rotation.
GitHub Actions
│ 1. Generates JWT token for this run
▼
token.actions.githubusercontent.com
│ 2. Sends token to AWS STS (AssumeRoleWithWebIdentity)
▼
AWS STS
│ 3. Validates token + checks trust policy conditions (sub + aud)
▼
Temporary credentials (15min–1hr)
│ 4. Workflow runs AWS CLI commands
▼
AWS Resources (VPC, Subnet)
- Open
setup-aws.sh - Fill in the CONFIGURATION section at the top
- Run it:
chmod +x setup-aws.sh && ./setup-aws.shSettings → Secrets and variables → Actions → Variables tab
The script prints these when it finishes:
| Variable | What it is |
|---|---|
AWS_ACCOUNT_ID |
Your 12-digit AWS Account ID |
AWS_REGION |
e.g. us-east-1 |
AWS_ROLE_NAME |
IAM role name used in setup |
Actions tab → Deploy AWS VPC → Run workflow → watch Verify identity confirm OIDC worked.
| Concept | What it means |
|---|---|
id-token: write |
Lets the workflow request a JWT. Without this, OIDC silently fails |
configure-aws-credentials action |
Handles the entire STS token exchange |
trust policy sub condition |
Security gate — only your specific repo can assume the role |
role-session-name |
Labels the session in CloudTrail logs for auditing |
$GITHUB_ENV |
How to pass values (like VPC_ID) between workflow steps |
${{ vars.X }} |
Reads a repo variable from Settings → Secrets and variables → Actions |