Stop Putting AWS Access Keys in GitHub Secrets. Use OIDC Instead.
📰 Dev.to · Neil
Learn how to replace AWS access keys in GitHub Secrets with OIDC for improved security and reduced risk of key exposure
Action Steps
- Configure OIDC for GitHub Actions using AWS IAM
- Create an OIDC identity provider in AWS
- Update GitHub Actions workflows to use OIDC credentials
- Test and verify OIDC authentication with AWS services
- Rotate and revoke long-lived AWS access keys
Who Needs to Know This
DevOps engineers and developers who use GitHub Actions and AWS services can benefit from this approach to enhance security and simplify key management
Key Insight
💡 OIDC provides a more secure and manageable alternative to long-lived AWS access keys in GitHub Secrets
Share This
💡 Ditch AWS access keys in GitHub Secrets! Use OIDC instead for improved security and reduced risk #DevOps #GitHubActions #AWS
Full Article
Title: Stop Putting AWS Access Keys in GitHub Secrets. Use OIDC Instead.
URL Source: https://dev.to/neil_4e5a9c0f3c99/stop-putting-aws-access-keys-in-github-secrets-use-oidc-instead-5c13
Published Time: 2026-05-07T17:05:14Z
Markdown Content:
[Skip to content](https://dev.to/neil_4e5a9c0f3c99/stop-putting-aws-access-keys-in-github-secrets-use-oidc-instead-5c13#main-content)
[](https://dev.to/)
[Powered by Algolia](https://www.algolia.com/developers/?utm_source=devto&utm_medium=referral)
[Log in](https://dev.to/enter?signup_subforem=1)[Create account](https://dev.to/enter?signup_subforem=1&state=new-user)
## DEV Community
0 Add reaction
0 Like 0 Unicorn 0 Exploding Head 0 Raised Hands 0 Fire
0 Jump to Comments 0 Save Boost
Copy link
Copied to Clipboard
[Share to X](https://twitter.com/intent/tweet?text=%22Stop%20Putting%20AWS%20Access%20Keys%20in%20GitHub%20Secrets.%20Use%20OIDC%20Instead.%22%20by%20Neil%20%23DEVCommunity%20https%3A%2F%2Fdev.to%2Fneil_4e5a9c0f3c99%2Fstop-putting-aws-access-keys-in-github-secrets-use-oidc-instead-5c13)[Share to LinkedIn](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fdev.to%2Fneil_4e5a9c0f3c99%2Fstop-putting-aws-access-keys-in-github-secrets-use-oidc-instead-5c13&title=Stop%20Putting%20AWS%20Access%20Keys%20in%20GitHub%20Secrets.%20Use%20OIDC%20Instead.&summary=I%20rotated%20a%20leaked%20AWS%20access%20key%20at%202%20AM%20last%20year.%20A%20contractor%20had%20pushed%20a%20workflow%20that%20printed...&source=DEV%20Community)[Share to Facebook](https://www.facebook.com/sharer.php?u=https%3A%2F%2Fdev.to%2Fneil_4e5a9c0f3c99%2Fstop-putting-aws-access-keys-in-github-secrets-use-oidc-instead-5c13)[Share to Mastodon](https://s2f.kytta.dev/?text=https%3A%2F%2Fdev.to%2Fneil_4e5a9c0f3c99%2Fstop-putting-aws-access-keys-in-github-secrets-use-oidc-instead-5c13)
[Share Post via...](https://dev.to/neil_4e5a9c0f3c99/stop-putting-aws-access-keys-in-github-secrets-use-oidc-instead-5c13#)[Report Abuse](https://dev.to/report-abuse)
[](https://dev.to/neil_4e5a9c0f3c99)
[Neil](https://dev.to/neil_4e5a9c0f3c99)
Posted on May 7
# Stop Putting AWS Access Keys in GitHub Secrets. Use OIDC Instead.
[#devops](https://dev.to/t/devops)[#githubactions](https://dev.to/t/githubactions)[#aws](https://dev.to/t/aws)[#azure](https://dev.to/t/azure)
I rotated a leaked AWS access key at 2 AM last year. A contractor had pushed a workflow that printed environment variables for "debugging," GitHub's secret scanner caught it about four minutes later, and by the time I'd revoked the key and audited CloudTrail, I'd lost an hour of sleep I still resent.
That was the night I went all-in on OIDC for GitHub Actions. If you're still using long-lived `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` in your repo secrets, this post is for you. I'll walk through what OIDC actually doe
URL Source: https://dev.to/neil_4e5a9c0f3c99/stop-putting-aws-access-keys-in-github-secrets-use-oidc-instead-5c13
Published Time: 2026-05-07T17:05:14Z
Markdown Content:
[Skip to content](https://dev.to/neil_4e5a9c0f3c99/stop-putting-aws-access-keys-in-github-secrets-use-oidc-instead-5c13#main-content)
[](https://dev.to/)
[Powered by Algolia](https://www.algolia.com/developers/?utm_source=devto&utm_medium=referral)
[Log in](https://dev.to/enter?signup_subforem=1)[Create account](https://dev.to/enter?signup_subforem=1&state=new-user)
## DEV Community
0 Add reaction
0 Like 0 Unicorn 0 Exploding Head 0 Raised Hands 0 Fire
0 Jump to Comments 0 Save Boost
Copy link
Copied to Clipboard
[Share to X](https://twitter.com/intent/tweet?text=%22Stop%20Putting%20AWS%20Access%20Keys%20in%20GitHub%20Secrets.%20Use%20OIDC%20Instead.%22%20by%20Neil%20%23DEVCommunity%20https%3A%2F%2Fdev.to%2Fneil_4e5a9c0f3c99%2Fstop-putting-aws-access-keys-in-github-secrets-use-oidc-instead-5c13)[Share to LinkedIn](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fdev.to%2Fneil_4e5a9c0f3c99%2Fstop-putting-aws-access-keys-in-github-secrets-use-oidc-instead-5c13&title=Stop%20Putting%20AWS%20Access%20Keys%20in%20GitHub%20Secrets.%20Use%20OIDC%20Instead.&summary=I%20rotated%20a%20leaked%20AWS%20access%20key%20at%202%20AM%20last%20year.%20A%20contractor%20had%20pushed%20a%20workflow%20that%20printed...&source=DEV%20Community)[Share to Facebook](https://www.facebook.com/sharer.php?u=https%3A%2F%2Fdev.to%2Fneil_4e5a9c0f3c99%2Fstop-putting-aws-access-keys-in-github-secrets-use-oidc-instead-5c13)[Share to Mastodon](https://s2f.kytta.dev/?text=https%3A%2F%2Fdev.to%2Fneil_4e5a9c0f3c99%2Fstop-putting-aws-access-keys-in-github-secrets-use-oidc-instead-5c13)
[Share Post via...](https://dev.to/neil_4e5a9c0f3c99/stop-putting-aws-access-keys-in-github-secrets-use-oidc-instead-5c13#)[Report Abuse](https://dev.to/report-abuse)
[](https://dev.to/neil_4e5a9c0f3c99)
[Neil](https://dev.to/neil_4e5a9c0f3c99)
Posted on May 7
# Stop Putting AWS Access Keys in GitHub Secrets. Use OIDC Instead.
[#devops](https://dev.to/t/devops)[#githubactions](https://dev.to/t/githubactions)[#aws](https://dev.to/t/aws)[#azure](https://dev.to/t/azure)
I rotated a leaked AWS access key at 2 AM last year. A contractor had pushed a workflow that printed environment variables for "debugging," GitHub's secret scanner caught it about four minutes later, and by the time I'd revoked the key and audited CloudTrail, I'd lost an hour of sleep I still resent.
That was the night I went all-in on OIDC for GitHub Actions. If you're still using long-lived `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` in your repo secrets, this post is for you. I'll walk through what OIDC actually doe
DeepCamp AI