No more AWS keys in GitHub Secrets

GitHub Actions already issues OIDC tokens per-workflow. Aembit extends this pattern to every pipeline step, every cloud target, every environment — with a unified policy layer and audit log.

Removing AWS_ACCESS_KEY_ID from your CI pipeline

The GitHub Actions OIDC token identifies the workflow run. Aembit validates it and issues scoped AWS credentials — no long-lived keys anywhere.

Before
Long-lived keys in GitHub Secrets
.github/workflows/deploy.yml
env:
  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET }}
# rotated quarterly, if at all
# same key across all environments
# if leaked: full AWS account access
1
GitHub issues OIDC token
GitHub Actions issues a per-run OIDC token containing the workflow repo, ref, run ID, and environment. This token is cryptographically signed by GitHub's OIDC provider.
iss: token.actions.githubusercontent.com
2
Aembit validates and checks policy
Aembit validates the GitHub OIDC token and checks your policy: does this workflow (repo + ref + environment) have permission to deploy to the target environment?
policy: allow ci-deploy-prod if env=production
3
Scoped credentials issued
Aembit issues temporary AWS credentials scoped to the minimum permissions needed for that deployment step. When the workflow ends, the credentials expire automatically.
AWS STS token: TTL = workflow duration

Read the CI/CD integration guide.

Remove every long-lived key from your pipelines. Covers GitHub Actions, GitLab CI, and CircleCI.