All posts
September 15, 20252 min read

AWS CLI with OpenID Connect (OIDC)

AWS CLI with OpenID Connect (OIDC) changes that. It gives you a secure, token-based bridge that replaces static AWS credentials with short-lived, verifiable identities. No more long-lived keys sitting in environment variables. No more risky credential sprawl across repos and CI/CD systems. OIDC lets you trust workloads without hardcoding AWS secrets. The CLI integrates with it to fetch temporary credentials directly from an identity provider. This is how you reduce attack surfaces while keeping

Free White Paper

OpenID Connect (OIDC) + AWS IAM Policies: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

AWS CLI with OpenID Connect (OIDC) changes that. It gives you a secure, token-based bridge that replaces static AWS credentials with short-lived, verifiable identities. No more long-lived keys sitting in environment variables. No more risky credential sprawl across repos and CI/CD systems.

OIDC lets you trust workloads without hardcoding AWS secrets. The CLI integrates with it to fetch temporary credentials directly from an identity provider. This is how you reduce attack surfaces while keeping full automation speed.

Why use AWS CLI with OIDC

With OIDC, authentication happens without storing AWS access keys. Your identity provider — GitHub Actions, GitLab CI, Okta, or any compatible system — issues a signed request. AWS verifies it against the OIDC provider you registered in IAM. The AWS CLI then exchanges this trust for short-lived access credentials.

Continue reading? Get the full guide.

OpenID Connect (OIDC) + AWS IAM Policies: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

This means:

  • Zero static AWS keys in your pipeline.
  • Automatic credential rotation.
  • Fine-grained IAM policies per identity.

Setting up AWS CLI with OIDC

  1. Create an OIDC identity provider in AWS IAM:
    Use the AWS console or CLI to register your OIDC provider’s URL and thumbprint. Specify the audience that matches your provider’s claim.
  2. Create an IAM role with a trust policy:
    The trust policy should allow sts:AssumeRoleWithWebIdentity for identities that match the OIDC conditions.
  3. Configure your provider:
    In GitHub Actions, use aws-actions/configure-aws-credentials with the role ARN and role-session-name. The CLI will handle token exchange during workflow execution.
  4. Run AWS CLI commands without permanent keys:
    Every workflow run fetches fresh, temporary credentials via OIDC.

Best practices for AWS CLI OIDC setup

  • Use least privilege IAM roles per CI/CD job.
  • Limit role assumption by OIDC subject and audience.
  • Rotate IAM trust policies when deprecating pipelines.
  • Monitor CloudTrail for AssumeRoleWithWebIdentity events.

When AWS CLI with OIDC is essential

You need it when automating deployments from third-party CI/CD platforms. You need it when working across multiple AWS accounts without storing static credentials. You need it when compliance demands traceable, short-lived access for non-human entities.

OIDC and speed of delivery

Security isn’t supposed to slow you down. With AWS CLI and OIDC, token exchange happens in milliseconds, letting pipelines deploy at full speed while inheriting AWS’s native security model.

You can see this same model in action at hoop.dev, where you can go from zero to a secure OIDC-powered workflow in minutes. Try it now and watch secure automation click into place at production scale.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts