Long-lived access keys in CI remain a frequent breach path. OIDC removes the secret from the repository entirely.
Setup steps: create an IAM OIDC provider for GitHub, bind roles with sub and repository conditions, and scope permissions to deploy targets only.
Why it matters: credential rotation disappears, and every assume-role event is attributable to a workflow run.
Tools mentioned: GitHub Environments, aws-actions/configure-aws-credentials, and IAM condition keys.
Apply this by migrating one production deploy workflow first, then deleting the leftover IAM user keys.