diff --git a/.github/workflows/generate-openapi.yml b/.github/workflows/generate-openapi.yml
index e08d229aa9..01c7c56740 100644
--- a/.github/workflows/generate-openapi.yml
+++ b/.github/workflows/generate-openapi.yml
@@ -18,11 +18,13 @@ on:
         description: 'Version of FOASCLI to use.'
         required: true
         type: string
+      aws_s3_role_to_assume:
+        description: 'AWS S3 Role to Assume.'
+        required: true
+        type: string
     secrets: # all secrets are passed explicitly in this workflow
       api_bot_pat:
         required: true
-      aws_s3_role_to_assume:
-        required: true
 
 permissions:
   contents: write
@@ -62,7 +64,7 @@ jobs:
       - name: aws configure
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ secrets.aws_s3_role_to_assume }}
+          role-to-assume: ${{ inputs.aws_s3_role_to_assume }}
           aws-region: ${{inputs.aws_default_region}}
       - name: Retrieve Specs
         env:
diff --git a/.github/workflows/release-changelog.yml b/.github/workflows/release-changelog.yml
index b36946b3cb..664dcd8ab0 100644
--- a/.github/workflows/release-changelog.yml
+++ b/.github/workflows/release-changelog.yml
@@ -22,12 +22,15 @@ on:
         description: 'Version of FOASCLI to use.'
         required: true
         type: string
+      aws_s3_role_to_assume:
+        description: 'AWS S3 Role to Assume.'
+        required: true
+        type: string
     secrets: # all secrets are passed explicitly in this workflow
       api_bot_pat:
         required: true
-      aws_s3_role_to_assume:
-        required: true
-      
+
+
 permissions:
   contents: write
   issues: write
@@ -91,7 +94,7 @@ jobs:
         - name: aws configure
           uses: aws-actions/configure-aws-credentials@v4
           with:
-            role-to-assume: ${{ secrets.aws_s3_role_to_assume }}
+            role-to-assume: ${{ inputs.aws_s3_role_to_assume }}
             aws-region: ${{inputs.aws_default_region}}
         - name: Generate Changelog
           env:
diff --git a/.github/workflows/release-spec-runner.yml b/.github/workflows/release-spec-runner.yml
index 862dc59938..3729b79f63 100644
--- a/.github/workflows/release-spec-runner.yml
+++ b/.github/workflows/release-spec-runner.yml
@@ -51,11 +51,11 @@ jobs:
     uses: ./.github/workflows/release-spec.yml
     secrets:
       api_bot_pat: ${{ secrets.API_BOT_PAT }}
-      aws_s3_role_to_assume: ${{ secrets.aws_s3_role_to_assume }}
       jira_api_token: ${{ secrets.JIRA_API_TOKEN }}
     with:
       aws_default_region: ${{ vars.AWS_DEFAULT_REGION}}
       aws_s3_bucket: ${{ vars.S3_BUCKET_DEV}}
+      aws_s3_role_to_assume: ${{ vars.AWS_S3_ROLE_TO_ASSUME }}
       env: dev
       branch: dev
       spectral_version: ${{ vars.SPECTRAL_VERSION }}
@@ -68,10 +68,10 @@ jobs:
     uses: ./.github/workflows/release-spec.yml
     secrets:
         api_bot_pat: ${{ secrets.API_BOT_PAT }}
-        aws_s3_role_to_assume: ${{ secrets.aws_s3_role_to_assume }}
         jira_api_token: ${{ secrets.JIRA_API_TOKEN }}
     with:
         aws_default_region: ${{ vars.AWS_DEFAULT_REGION}}
+        aws_s3_role_to_assume: ${{ vars.AWS_S3_ROLE_TO_ASSUME }}
         aws_s3_bucket: ${{ vars.S3_BUCKET_QA}}
         env: qa
         branch: qa
@@ -85,10 +85,10 @@ jobs:
     uses: ./.github/workflows/release-spec.yml
     secrets:
         api_bot_pat: ${{ secrets.API_BOT_PAT }}
-        aws_s3_role_to_assume: ${{ secrets.aws_s3_role_to_assume }}
         jira_api_token: ${{ secrets.JIRA_API_TOKEN }}
     with:
         aws_default_region: ${{ vars.AWS_DEFAULT_REGION}}
+        aws_s3_role_to_assume: ${{ vars.AWS_S3_ROLE_TO_ASSUME }}
         aws_s3_bucket: ${{ vars.S3_BUCKET_STAGING}}
         env: stage
         branch: staging
@@ -102,12 +102,12 @@ jobs:
     uses: ./.github/workflows/release-spec.yml
     secrets:
         api_bot_pat: ${{ secrets.API_BOT_PAT }}
-        aws_s3_role_to_assume: ${{ secrets.aws_s3_role_to_assume }}
         postman_api_key: ${{ secrets.POSTMAN_API_KEY }}
         workspace_id: ${{ secrets.WORKSPACE_ID }}
         jira_api_token: ${{ secrets.JIRA_API_TOKEN }}
     with:
         aws_default_region: ${{ vars.AWS_DEFAULT_REGION}}
+        aws_s3_role_to_assume: ${{ vars.AWS_S3_ROLE_TO_ASSUME }}
         aws_s3_bucket: ${{ vars.S3_BUCKET_PROD}}
         env: prod
         branch: main
@@ -122,10 +122,10 @@ jobs:
     uses: ./.github/workflows/release-spec-v1.yml
     secrets:
       api_bot_pat: ${{ secrets.API_BOT_PAT }}
-      aws_s3_role_to_assume: ${{ secrets.aws_s3_role_to_assume }}
       mms_deployed_sha_url: ${{ secrets.MMS_DEPLOYED_SHA_URL_PROD }}
     with:
       aws_default_region: ${{ vars.AWS_DEFAULT_REGION}}
+      aws_s3_role_to_assume: ${{ vars.AWS_S3_ROLE_TO_ASSUME }}
       aws_s3_bucket: ${{ vars.S3_BUCKET_PROD}}
       env: prod
       branch: main
diff --git a/.github/workflows/release-spec-v1.yml b/.github/workflows/release-spec-v1.yml
index d5ea16a229..6e83da4ffe 100644
--- a/.github/workflows/release-spec-v1.yml
+++ b/.github/workflows/release-spec-v1.yml
@@ -18,11 +18,13 @@ on:
         description: 'Branch to release the OpenAPI Spec to.'
         required: true
         type: string
+      aws_s3_role_to_assume:
+        description: 'AWS S3 Role to Assume.'
+        required: true
+        type: string
     secrets: # all secrets are passed explicitly in this workflow
       api_bot_pat:
         required: true
-      aws_s3_role_to_assume:
-        required: true
       mms_deployed_sha_url:
         required: true
 
@@ -39,7 +41,7 @@ jobs:
       - name: aws configure
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ secrets.aws_s3_role_to_assume }}
+          role-to-assume: ${{ inputs.aws_s3_role_to_assume }}
           aws-region: ${{inputs.aws_default_region}}
       - name: Download v1 Spec
         env:
diff --git a/.github/workflows/release-spec.yml b/.github/workflows/release-spec.yml
index 10665366cb..c948f36ef6 100644
--- a/.github/workflows/release-spec.yml
+++ b/.github/workflows/release-spec.yml
@@ -30,6 +30,10 @@ on:
         description: 'Base URL of Atlas.'
         required: false
         type: string
+      aws_s3_role_to_assume:
+        description: 'AWS S3 Role to Assume.'
+        required: true
+        type: string
     secrets: # all secrets are passed explicitly in this workflow
       api_bot_pat:
         required: true
@@ -39,8 +43,6 @@ on:
         required: false
       jira_api_token:
         required: true
-      aws_s3_role_to_assume:
-        required: true
 
 permissions:
   contents: write
@@ -53,10 +55,10 @@ jobs:
     uses: ./.github/workflows/generate-openapi.yml
     secrets:
       api_bot_pat: ${{ secrets.api_bot_pat }}
-      aws_s3_role_to_assume: ${{ secrets.aws_s3_role_to_assume }}
     with:
       aws_default_region: ${{ inputs.aws_default_region}}
       aws_s3_bucket: ${{ inputs.aws_s3_bucket}}
+      aws_s3_role_to_assume: ${{ inputs.aws_s3_role_to_assume }}
       env: ${{ inputs.env }}
       foascli_version: ${{ inputs.foascli_version }}
 
@@ -168,9 +170,9 @@ jobs:
     uses: ./.github/workflows/release-changelog.yml
     secrets:
         api_bot_pat: ${{ secrets.api_bot_pat }}
-        aws_s3_role_to_assume: ${{ secrets.aws_s3_role_to_assume }}
     with:
         aws_default_region: ${{ inputs.aws_default_region}}
+        aws_s3_role_to_assume: ${{ inputs.aws_s3_role_to_assume }}
         aws_s3_bucket: ${{ inputs.aws_s3_bucket}}
         env: ${{ inputs.env }}
         branch: ${{ inputs.branch }}