How I Eliminated Static AWS Credentials from GitHub Actions Using OIDC

## The Problem With Static Keys

When you do this in GitHub Actions:

AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}

AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

You have a long-lived credential that:

- Never rotates automatically

- Has full blast radius if the repo is compromised

- Violates least-privilege by existing at all

I eliminated this entirely for the Damolak

Technologies DevOps challenge. Here's the exact

implementation.

---

## Step 1 — IAM OIDC Provider (Terraform)

resource "aws_iam_openid_connect_provider" "github" {

url = "https://token.actions.githubusercontent.com"

client_id_list = ["sts.amazonaws.com"]

thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"]

}

---

## Step 2 — Trust Policy Scoped to Your Repo

{

"Condition": {

"StringLike": {

"token.actions.githubusercontent.com:sub":

"repo:EdwinJdevops/damolak-challenge:ref:refs/heads/main"

}

}

}

Only your main branch can assume this role.

A fork cannot. A PR branch cannot. Exact scope.

---

## Step 3 — GitHub Actions Workflow

permissions:

id-token: write

contents: read

- name: Configure AWS credentials

uses: aws-actions/configure-aws-credentials@v4

with:

role-to-assume: arn:aws:iam::ACCOUNT_ID:role/github-actions-role

aws-region: us-east-1

Token lives for 15 minutes. No secrets stored anywhere.

---

## The Full Pipeline

OIDC auth → ECR login → Docker build + push →

ECS Fargate rolling deploy → ALB health check

33 AWS resources provisioned by Terraform.

Live endpoint behind ALB.

Zero static credentials in the entire stack.

---

## Why This Matters

Every GitHub Actions tutorial shows you the

static key approach because it's faster to

explain. It's also how pipelines get breached.

OIDC costs you 10 extra minutes of setup.

It eliminates an entire attack surface permanently.

Full repo: github.com/EdwinJdevops/damolak-challenge

---

Built in Lagos. No excuses.