diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml
index a720d25e9..6125728be 100644
--- a/.github/workflows/mirror.yml
+++ b/.github/workflows/mirror.yml
@@ -4,7 +4,7 @@ on:
   workflow_dispatch:
     inputs:
       version:
-        description: "Image tag"
+        description: 'Image tag'
         required: true
         type: string
 
@@ -14,12 +14,16 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
     steps:
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.PROD_AWS_ROLE }}
+          aws-region: 'us-east-1'
       - uses: docker/login-action@v2
         with:
           registry: public.ecr.aws
-          username: ${{ secrets.PROD_ACCESS_KEY_ID }}
-          password: ${{ secrets.PROD_SECRET_ACCESS_KEY }}
       - uses: docker/login-action@v2
         with:
           registry: ghcr.io
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1b75eb375..e41c03d70 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -44,6 +44,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
     steps:
       - id: meta
         uses: docker/metadata-action@v4
@@ -68,26 +69,32 @@ jobs:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
-      - name: Login to ECR
-        uses: docker/login-action@v2
+      - name: configure aws credentials - staging
+        uses: aws-actions/configure-aws-credentials@v1
         with:
-          registry: public.ecr.aws
-          username: ${{ secrets.PROD_ACCESS_KEY_ID }}
-          password: ${{ secrets.PROD_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.DEV_AWS_ROLE }}
+          aws-region: 'us-east-1'
 
       - name: Login to ECR account - staging
         uses: docker/login-action@v2
         with:
           registry: 436098097459.dkr.ecr.us-east-1.amazonaws.com
-          username: ${{ secrets.DEV_ACCESS_KEY_ID }}
-          password: ${{ secrets.DEV_SECRET_ACCESS_KEY }}
+
+      - name: configure aws credentials - prod
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.PROD_AWS_ROLE }}
+          aws-region: 'us-east-1'
+
+      - name: Login to ECR - prod
+        uses: docker/login-action@v2
+        with:
+          registry: public.ecr.aws
 
       - name: Login to ECR account - prod
         uses: docker/login-action@v2
         with:
           registry: 646182064048.dkr.ecr.us-east-1.amazonaws.com
-          username: ${{ secrets.PROD_ACCESS_KEY_ID }}
-          password: ${{ secrets.PROD_SECRET_ACCESS_KEY }}
 
       - name: Login to GHCR
         uses: docker/login-action@v2