Raxx · internal docs

internal · gated ↑ index

AWS OIDC Trust — GitHub Actions

Status: Active
AWS Account: 521228113048
Provider created: 2025-10-05 15:08 UTC
Last verified: 2026-05-17 UTC
Owner: ops (raxx-ops-bot)
Closes: #1836

Provider details

Field	Value
Provider ARN	`arn:aws:iam::521228113048:oidc-provider/token.actions.githubusercontent.com`
Issuer URL	`https://token.actions.githubusercontent.com`
Audience (`aud`)	`sts.amazonaws.com`
Thumbprint	`6938fd4d98bab03faadb97b34396831e3780aea1`

Thumbprint note

AWS added GitHub's OIDC issuer to its managed root-CA trust store in late 2025. For accounts where that trust is active, the thumbprint list is advisory — AWS will accept GitHub tokens even if the leaf cert rotates. The thumbprint above matches the value in AWS documentation at time of creation and was re-verified 2026-05-17. Do not remove it from the provider definition; leaving it pinned is harmless and keeps the provider self-describing.

Trust policy template

Every downstream IAM role that accepts GitHub Actions tokens copies this trust policy. Replace <ROLE_NAME> and the sub condition to match the specific repo path and ref required for that role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "GitHubActionsOIDC",
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::521228113048:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
        },
        "StringLike": {
          "token.actions.githubusercontent.com:sub": "repo:raxx-app/TradeMasterAPI:*"
        }
      }
    }
  ]
}

Restricting to `main`-only applies (recommended for prod roles)

Replace the StringLike condition with StringEquals and pin to the ref:

"StringEquals": {
  "token.actions.githubusercontent.com:sub": "repo:raxx-app/TradeMasterAPI:ref:refs/heads/main"
}

Restricting to a specific workflow

"StringEquals": {
  "token.actions.githubusercontent.com:sub": "repo:raxx-app/TradeMasterAPI:workflow:terraform-apply"
}

How to wire this into a GH Actions workflow

Use aws-actions/configure-aws-credentials@v4. The role ARN for each per-root role lives in Infisical (see "Downstream roles" below). Reference via environment variable; do not inline in workflow YAML.

permissions:
  id-token: write   # required — allows the job to request an OIDC token
  contents: read

steps:
  - name: Configure AWS credentials
    uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: ${{ secrets.RAXX_GH_ACTIONS_TF_APPLY_ROLE_ARN }}
      role-session-name: gh-actions-${{ github.run_id }}
      aws-region: us-east-1

permissions.id-token: write must be set at the job level (or workflow level). Without it the OIDC token is not issued and AssumeRoleWithWebIdentity returns an empty credential error.

Downstream roles

Each downstream card (#1834-C through #1834-K) creates one IAM role that trusts this provider. When a role is created its ARN is stored in Infisical at the path below. Workflow files reference the secret by name via ${{ secrets.* }}.

Role name (planned)	Infisical path	Card
`raxx-gh-actions-tf-apply`	`/raxx/aws/iam/RAXX_GH_ACTIONS_TF_APPLY_ROLE_ARN`	#1834-C
(subsequent roles to be added as cards land)		#1834-D through #1834-K

Infisical paths follow the /raxx/aws/iam/<VAR_NAME> convention. Role ARNs are not secrets in the cryptographic sense but must not be inlined in workflow YAML or committed to the repo; they are environment-specific and may change if a role is recreated.

Verification procedure

Run this from an operator machine with a short-lived assume to confirm the trust works before any per-root role is used in CI:

# 1. Confirm provider exists
aws iam list-open-id-connect-providers

# 2. Confirm thumbprint
aws iam get-open-id-connect-provider \
  --open-id-connect-provider-arn \
  arn:aws:iam::521228113048:oidc-provider/token.actions.githubusercontent.com

# 3. End-to-end smoke (requires a role that trusts this provider to already exist):
aws sts assume-role-with-web-identity \
  --role-arn <ROLE_ARN> \
  --role-session-name smoke-test \
  --web-identity-token <OIDC_TOKEN_FROM_GH_ACTIONS>

The end-to-end smoke runs inside an Actions job; the OIDC token is not accessible from the operator machine. Step 3 is verified automatically when the first per-root role card runs its CI job.

What this card does NOT do

Does not create any per-root IAM role (those are cards #1834-C through #1834-K)
Does not write any workflow YAML
Does not touch Infisical or SSM (no workload secret movement)
Does not modify the existing claude-infisical-bootstrap IAM user

References

Epic: #1834
This card: #1836
AWS docs: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html
GH docs: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
aws-actions/configure-aws-credentials: https://github.com/aws-actions/configure-aws-credentials

Auto-generated from docs/ in raxx-app/TradeMasterAPI. Gated behind Cloudflare Access. Re-deployed on every push to main.