AWS OIDC Trust — GitHub Actions
Status: Active
AWS Account: 521228113048
Provider created: 2025-10-05 15:08 UTC
Last verified: 2026-05-17 UTC
Owner: ops (raxx-ops-bot)
Closes: #1836
Provider details
| Field | Value |
|---|---|
| Provider ARN | arn:aws:iam::521228113048:oidc-provider/token.actions.githubusercontent.com |
| Issuer URL | https://token.actions.githubusercontent.com |
Audience (aud) |
sts.amazonaws.com |
| Thumbprint | 6938fd4d98bab03faadb97b34396831e3780aea1 |
Thumbprint note
AWS added GitHub's OIDC issuer to its managed root-CA trust store in late 2025. For accounts where that trust is active, the thumbprint list is advisory — AWS will accept GitHub tokens even if the leaf cert rotates. The thumbprint above matches the value in AWS documentation at time of creation and was re-verified 2026-05-17. Do not remove it from the provider definition; leaving it pinned is harmless and keeps the provider self-describing.
Trust policy template
Every downstream IAM role that accepts GitHub Actions tokens copies this trust policy. Replace <ROLE_NAME> and the sub condition to match the specific repo path and ref required for that role.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GitHubActionsOIDC",
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::521228113048:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:raxx-app/TradeMasterAPI:*"
}
}
}
]
}
Restricting to main-only applies (recommended for prod roles)
Replace the StringLike condition with StringEquals and pin to the ref:
"StringEquals": {
"token.actions.githubusercontent.com:sub": "repo:raxx-app/TradeMasterAPI:ref:refs/heads/main"
}
Restricting to a specific workflow
"StringEquals": {
"token.actions.githubusercontent.com:sub": "repo:raxx-app/TradeMasterAPI:workflow:terraform-apply"
}
How to wire this into a GH Actions workflow
Use aws-actions/configure-aws-credentials@v4. The role ARN for each per-root role lives in Infisical (see "Downstream roles" below). Reference via environment variable; do not inline in workflow YAML.
permissions:
id-token: write # required — allows the job to request an OIDC token
contents: read
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.RAXX_GH_ACTIONS_TF_APPLY_ROLE_ARN }}
role-session-name: gh-actions-${{ github.run_id }}
aws-region: us-east-1
permissions.id-token: write must be set at the job level (or workflow level). Without it the OIDC token is not issued and AssumeRoleWithWebIdentity returns an empty credential error.
Downstream roles
Each downstream card (#1834-C through #1834-K) creates one IAM role that trusts this provider. When a role is created its ARN is stored in Infisical at the path below. Workflow files reference the secret by name via ${{ secrets.* }}.
| Role name (planned) | Infisical path | Card |
|---|---|---|
raxx-gh-actions-tf-apply |
/raxx/aws/iam/RAXX_GH_ACTIONS_TF_APPLY_ROLE_ARN |
#1834-C |
| (subsequent roles to be added as cards land) | #1834-D through #1834-K |
Infisical paths follow the /raxx/aws/iam/<VAR_NAME> convention. Role ARNs are not secrets in the cryptographic sense but must not be inlined in workflow YAML or committed to the repo; they are environment-specific and may change if a role is recreated.
Verification procedure
Run this from an operator machine with a short-lived assume to confirm the trust works before any per-root role is used in CI:
# 1. Confirm provider exists
aws iam list-open-id-connect-providers
# 2. Confirm thumbprint
aws iam get-open-id-connect-provider \
--open-id-connect-provider-arn \
arn:aws:iam::521228113048:oidc-provider/token.actions.githubusercontent.com
# 3. End-to-end smoke (requires a role that trusts this provider to already exist):
aws sts assume-role-with-web-identity \
--role-arn <ROLE_ARN> \
--role-session-name smoke-test \
--web-identity-token <OIDC_TOKEN_FROM_GH_ACTIONS>
The end-to-end smoke runs inside an Actions job; the OIDC token is not accessible from the operator machine. Step 3 is verified automatically when the first per-root role card runs its CI job.
What this card does NOT do
- Does not create any per-root IAM role (those are cards #1834-C through #1834-K)
- Does not write any workflow YAML
- Does not touch Infisical or SSM (no workload secret movement)
- Does not modify the existing
claude-infisical-bootstrapIAM user
References
- Epic: #1834
- This card: #1836
- AWS docs:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html - GH docs:
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect aws-actions/configure-aws-credentials:https://github.com/aws-actions/configure-aws-credentials