diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml
index 29543b592..a8d5f9eeb 100644
--- a/.github/workflows/mirror.yml
+++ b/.github/workflows/mirror.yml
@@ -28,16 +28,20 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
     steps:
       - id: strip
         run: |
           TAG=${{ matrix.src }}
           echo "dst=${TAG##*/}" >> $GITHUB_OUTPUT
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.PROD_AWS_ROLE }}
+          aws-region: us-east-1
       - uses: docker/login-action@v2
         with:
           registry: public.ecr.aws
-          username: ${{ secrets.PROD_ACCESS_KEY_ID }}
-          password: ${{ secrets.PROD_SECRET_ACCESS_KEY }}
       - uses: docker/login-action@v2
         with:
           registry: ghcr.io