OIDC federation
Imagine that you are creating an application that accesses AWS resources, such as GitHib Actions that uses workflows to access Amazon S3 and DynamoDB.
When you use these workflows, you make requests to AWS services that must be signed with an AWS access key. However, we strongly recommend that you do not store AWS credentials long-term in applications outside AWS. Instead, configure your applications to requests temporary AWS security credentials dynamically when needed using OIDC federation. The supplied temporary credentials map to an AWS role that only has permissions needed to perform the tasks required by the application.
With OIDC federation, you don't need to create custom sign-in code or manage your own user
identities. Instead, you can use OIDC in applications, such as GitHub Actions or any other
OpenID Connect (OIDC)
For most scenarios, we recommend that you use Amazon Cognito
Note
JSON Web Tokens (JWTs) issued by OpenID Connect (OIDC) identity providers contain an
expiration time in the exp
claim that specifies when the token expires. IAM
provides a five-minute window beyond the expiration time specified in the JWT to account for
clock skew, as allowed by the OpenID Connect (OIDC) Core 1.0
standard