[shitlord]

I recently did this for one of my GitHub repos which runs several test suites (cumulatively taking >1h). If your actions are slow, pay attention to the IAM role session duration. The maximum duration with role chaining is 1 hour.

In the end your credentials need to outlive your CI/CD actions.

[bazookaworkable]

Throwaway for reasons:

From experience, be careful and ensure you properly scope your OIDC connection. It’s very easy to allow ANY GitHub repo with proper OIDC connection bits (SA email, connector pool, etc) to get an OIDC token, rather than what you expect, whether that’s any repo in your private org or a specific single repository. As always, RTFM

[ary]

I believe the max duration of an assumed role session is 12 hours, but this can be changed per-role.

[arkadiyt]

For assuming one role it can be up to 12 hours. If you're doing role chaining like the parent mentioned (where the 1st assumed role then assumes a 2nd role) then the maximum session duration is 1 hour. AWS has this documented here:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_te...

> Role chaining limits your AWS CLI or AWS API role session to a maximum of one hour.