Stop Putting AWS Access Keys in GitHub Secrets. Use OIDC Instead.

📰 Dev.to · Neil

Learn how to replace AWS access keys in GitHub Secrets with OIDC for improved security and reduced risk of key exposure

intermediate Published 7 May 2026
Action Steps
  1. Configure OIDC for GitHub Actions using AWS IAM
  2. Create an OIDC identity provider in AWS
  3. Update GitHub Actions workflows to use OIDC credentials
  4. Test and verify OIDC authentication with AWS services
  5. Rotate and revoke long-lived AWS access keys
Who Needs to Know This

DevOps engineers and developers who use GitHub Actions and AWS services can benefit from this approach to enhance security and simplify key management

Key Insight

💡 OIDC provides a more secure and manageable alternative to long-lived AWS access keys in GitHub Secrets

Share This
💡 Ditch AWS access keys in GitHub Secrets! Use OIDC instead for improved security and reduced risk #DevOps #GitHubActions #AWS

Full Article

Title: Stop Putting AWS Access Keys in GitHub Secrets. Use OIDC Instead.

URL Source: https://dev.to/neil_4e5a9c0f3c99/stop-putting-aws-access-keys-in-github-secrets-use-oidc-instead-5c13

Published Time: 2026-05-07T17:05:14Z

Markdown Content:
[Skip to content](https://dev.to/neil_4e5a9c0f3c99/stop-putting-aws-access-keys-in-github-secrets-use-oidc-instead-5c13#main-content)

[![Image 1: DEV Community](https://media2.dev.to/dynamic/image/quality=100/https://dev-to-uploads.s3.amazonaws.com/uploads/logos/resized_logo_UQww2soKuUsjaOGNB38o.png)](https://dev.to/)

[Powered by Algolia](https://www.algolia.com/developers/?utm_source=devto&utm_medium=referral)

[Log in](https://dev.to/enter?signup_subforem=1)[Create account](https://dev.to/enter?signup_subforem=1&state=new-user)

## DEV Community

![Image 2](https://assets.dev.to/assets/heart-plus-active-9ea3b22f2bc311281db911d416166c5f430636e76b15cd5df6b3b841d830eefa.svg)0 Add reaction

![Image 3](https://assets.dev.to/assets/sparkle-heart-5f9bee3767e18deb1bb725290cb151c25234768a0e9a2bd39370c382d02920cf.svg)0 Like ![Image 4](https://assets.dev.to/assets/multi-unicorn-b44d6f8c23cdd00964192bedc38af3e82463978aa611b4365bd33a0f1f4f3e97.svg)0 Unicorn ![Image 5](https://assets.dev.to/assets/exploding-head-daceb38d627e6ae9b730f36a1e390fca556a4289d5a41abb2c35068ad3e2c4b5.svg)0 Exploding Head ![Image 6](https://assets.dev.to/assets/raised-hands-74b2099fd66a39f2d7eed9305ee0f4553df0eb7b4f11b01b6b1b499973048fe5.svg)0 Raised Hands ![Image 7](https://assets.dev.to/assets/fire-f60e7a582391810302117f987b22a8ef04a2fe0df7e3258a5f49332df1cec71e.svg)0 Fire

0 Jump to Comments 0 Save Boost

Copy link

Copied to Clipboard

[Share to X](https://twitter.com/intent/tweet?text=%22Stop%20Putting%20AWS%20Access%20Keys%20in%20GitHub%20Secrets.%20Use%20OIDC%20Instead.%22%20by%20Neil%20%23DEVCommunity%20https%3A%2F%2Fdev.to%2Fneil_4e5a9c0f3c99%2Fstop-putting-aws-access-keys-in-github-secrets-use-oidc-instead-5c13)[Share to LinkedIn](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fdev.to%2Fneil_4e5a9c0f3c99%2Fstop-putting-aws-access-keys-in-github-secrets-use-oidc-instead-5c13&title=Stop%20Putting%20AWS%20Access%20Keys%20in%20GitHub%20Secrets.%20Use%20OIDC%20Instead.&summary=I%20rotated%20a%20leaked%20AWS%20access%20key%20at%202%20AM%20last%20year.%20A%20contractor%20had%20pushed%20a%20workflow%20that%20printed...&source=DEV%20Community)[Share to Facebook](https://www.facebook.com/sharer.php?u=https%3A%2F%2Fdev.to%2Fneil_4e5a9c0f3c99%2Fstop-putting-aws-access-keys-in-github-secrets-use-oidc-instead-5c13)[Share to Mastodon](https://s2f.kytta.dev/?text=https%3A%2F%2Fdev.to%2Fneil_4e5a9c0f3c99%2Fstop-putting-aws-access-keys-in-github-secrets-use-oidc-instead-5c13)

[Share Post via...](https://dev.to/neil_4e5a9c0f3c99/stop-putting-aws-access-keys-in-github-secrets-use-oidc-instead-5c13#)[Report Abuse](https://dev.to/report-abuse)

[![Image 8: Neil](https://media2.dev.to/dynamic/image/width=50,height=50,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3918418%2Fab14c422-10be-4b5d-804d-0cd9cee89d14.png)](https://dev.to/neil_4e5a9c0f3c99)

[Neil](https://dev.to/neil_4e5a9c0f3c99)
Posted on May 7

# Stop Putting AWS Access Keys in GitHub Secrets. Use OIDC Instead.

[#devops](https://dev.to/t/devops)[#githubactions](https://dev.to/t/githubactions)[#aws](https://dev.to/t/aws)[#azure](https://dev.to/t/azure)

I rotated a leaked AWS access key at 2 AM last year. A contractor had pushed a workflow that printed environment variables for "debugging," GitHub's secret scanner caught it about four minutes later, and by the time I'd revoked the key and audited CloudTrail, I'd lost an hour of sleep I still resent.

That was the night I went all-in on OIDC for GitHub Actions. If you're still using long-lived `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` in your repo secrets, this post is for you. I'll walk through what OIDC actually doe
Read full article → ← Back to Reads