OpenId Connect

GitHub Actions – OpenId Connect (OIDC) integration with AWS is now optimized to avoid pinning any intermediary certificate thumbprints.

While configuring GitHub as an OIDC IdP (ID Provider), AWS now secures communication by trusting GitHub Actions’s trusted root certificate authorities (CAs) instead of using a certificate thumbprint to verify GitHub’s IdP server certificate.
This will address and avoid any issues caused due to pinning certificate thumbprints while authenticating from GitHub to AWS using OIDC. No action is needed for GitHub customers.

Learn more about using OIDC with GitHub Actions.

We have received customers reporting errors with Actions’ OIDC integration with AWS.
This happens for customers who are pinned to a single intermediary thumbprint from the Certificate Authority (CA) of the Actions SSL certificate.

There are two possible intermediary certificates for the Actions SSL certificate and either can be returned by our servers, requiring customers to trust both. This is a known behavior when the intermediary certificates are cross-signed by the CA.

Customers experiencing issues authenticating via OIDC with AWS should configure both thumbprints to be trusted in the AWS portal.
The two known intermediary thumbprints at this time are:

• 6938fd4d98bab03faadb97b34396831e3780aea1
• 1c58a3a8518e8759bf075b76b750d4f2df264fcd

Learn more about using OIDC with GitHub Actions.