Configure for AWS STS assumed role instead of static access key and secret

[januszm]

Documentation says that this action requires both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY variables to be set, however I'm going to use https://github.com/aws-actions/configure-aws-credentials which will set them up dynamically using the Asssumed Role feature of AWS, which is considered safer in long term (doesn't require storing and managing key and secret).

What's the best way to set this action up with assumed role? If this is possible, can we add it to the documentation?

Looks like they can be fetched from the previous step of a GH action like: https://github.com/aws-actions/configure-aws-credentials?tab=readme-ov-file#retrieving-credentials-from-step-output-assumerole-with-temporary-credentials

        aws-access-key-id: ${{ steps.STEP_ID.outputs.aws-access-key-id }}
        aws-secret-access-key: ${{ steps.STEP_ID.outputs.aws-secret-access-key }}
        aws-session-token: ${{ steps.STEP_ID.outputs.aws-session-token }}

[januszm]

I'd also add a clearly visible note that AWS assumed role (or all) + Github setups require this setting in permissions:

jobs:
  build:
    name: MYBUILD
    runs-on: ubuntu-latest # or something else
    permissions:
      id-token: write # THIS!