Part of plan #15. Phase 2 — Secure Credential Model (OIDC).
Problem
The action today relies on AWS access keys surfaced via secrets.AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY in the consumer's workflow. Static keys:
- Don't rotate unless a human remembers.
- Require human-managed secret storage (permanent attack surface).
- Can't be tied to a specific repo / branch / environment.
Target
Consumers opt into GitHub OIDC, which issues short-lived STS tokens scoped to the exact workflow + repo + branch. No static keys on the runner side.
Action-side changes
Almost none. @aws-sdk/client-ec2 (landed in Phase 1) reads credentials from the environment by default. aws-actions/configure-aws-credentials@v6 already writes AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY + AWS_SESSION_TOKEN into the env when role-to-assume is used. So the action just continues reading from env and works transparently.
What this issue covers is mostly documentation + a reference Terraform module:
README.md: add "OIDC setup" section with an example aws_iam_role (trust relationship to token.actions.githubusercontent.com) and a minimal EC2 policy.- Workflow snippet showing
permissions: id-token: write and role-to-assume: arn:aws:iam::<account>:role/github-runner.
- Minimal IAM permission list for the runner role:
ec2:RunInstances, ec2:TerminateInstances, ec2:DescribeImages, ec2:DescribeInstances on the specific AMI / subnet / SG.iam:PassRole scoped to the instance profile.ec2:CreateTags on runner instances.ec2:AssociateAddress if eip-allocation-id is used.
Optionally: explicit input role-to-assume that the action wires through configure-aws-credentials internally, removing the consumer's need to call it separately. This is a convenience and can be a follow-up.
Consumer migration impact
For terraform-provider-namecheap:
- New IAM role in account
699717368611 trusting token.actions.githubusercontent.com for the namecheap/terraform-provider-namecheap repo.
ci.yml: replace the two configure-aws-credentials blocks' static-key inputs with role-to-assume. Add permissions: id-token: write to start-runner and stop-runner.- Delete
AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY secrets after rollout.
Acceptance criteria
Part of plan #15. Phase 2 — Secure Credential Model (OIDC).
Problem
The action today relies on AWS access keys surfaced via
secrets.AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEYin the consumer's workflow. Static keys:Target
Consumers opt into GitHub OIDC, which issues short-lived STS tokens scoped to the exact workflow + repo + branch. No static keys on the runner side.
Action-side changes
Almost none.
@aws-sdk/client-ec2(landed in Phase 1) reads credentials from the environment by default.aws-actions/configure-aws-credentials@v6already writesAWS_ACCESS_KEY_ID+AWS_SECRET_ACCESS_KEY+AWS_SESSION_TOKENinto the env whenrole-to-assumeis used. So the action just continues reading from env and works transparently.What this issue covers is mostly documentation + a reference Terraform module:
README.md: add "OIDC setup" section with an exampleaws_iam_role(trust relationship totoken.actions.githubusercontent.com) and a minimal EC2 policy.permissions: id-token: writeandrole-to-assume: arn:aws:iam::<account>:role/github-runner.ec2:RunInstances,ec2:TerminateInstances,ec2:DescribeImages,ec2:DescribeInstanceson the specific AMI / subnet / SG.iam:PassRolescoped to the instance profile.ec2:CreateTagson runner instances.ec2:AssociateAddressifeip-allocation-idis used.Optionally: explicit input
role-to-assumethat the action wires throughconfigure-aws-credentialsinternally, removing the consumer's need to call it separately. This is a convenience and can be a follow-up.Consumer migration impact
For
terraform-provider-namecheap:699717368611trustingtoken.actions.githubusercontent.comfor thenamecheap/terraform-provider-namecheaprepo.ci.yml: replace the twoconfigure-aws-credentialsblocks' static-key inputs withrole-to-assume. Addpermissions: id-token: writetostart-runnerandstop-runner.AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEYsecrets after rollout.Acceptance criteria
README.mdhas an "OIDC setup (preferred)" section with Terraform + workflow snippets.terraform-provider-namecheap) migrated end-to-end as a proof-point.