diff --git a/.github/workflows/qns.yml b/.github/workflows/qns.yml
index 32ba590f5..b9ccb9aac 100644
--- a/.github/workflows/qns.yml
+++ b/.github/workflows/qns.yml
@@ -30,6 +30,9 @@ env:
 # should we taken before adding more permissions.
 permissions:
   statuses: write
+  id-token: write # This is required for requesting the JWT
+  contents: read  # This is required for actions/checkout
+
 
 jobs:
   env:
@@ -213,9 +216,9 @@ jobs:
       - uses: aws-actions/configure-aws-credentials@v4.0.2
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-west-1
+          role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+          role-session-name: S2nQuicGHAS3Session
+          aws-region: us-west-2
 
       - name: Upload to S3
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
@@ -305,9 +308,9 @@ jobs:
       - uses: aws-actions/configure-aws-credentials@v4.0.2
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-west-1
+          role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+          role-session-name: S2nQuicGHAS3Session
+          aws-region: us-west-2
 
       - name: Upload to S3
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
@@ -361,14 +364,20 @@ jobs:
           sudo apt-get -o Acquire::Retries=3 update
           sudo apt-get -o Acquire::Retries=3 install -y gnuplot
 
+      - uses: aws-actions/configure-aws-credentials@v4.0.2
+        if: github.repository == github.event.pull_request.head.repo.full_name
+        with:
+          role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCEcrRole
+          role-session-name: S2nQuicGHAECRSession
+          aws-region: us-east-1   # Required for ECR
+
       # authenticate pull to avoid hitting pull quota
-      - name: Login to Amazon Elastic Container Registry Public
+      - name: Login to Amazon ECR Public
         if: github.repository == github.event.pull_request.head.repo.full_name
-        uses: docker/login-action@v3.3.0
+        id: login-ecr-public
+        uses: aws-actions/amazon-ecr-login@v2
         with:
-          registry: public.ecr.aws
-          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          registry-type: public
 
       - name: Pull s2n-quic-qns:main
         if: github.event.pull_request
@@ -408,9 +417,9 @@ jobs:
       - uses: aws-actions/configure-aws-credentials@v4.0.2
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-west-1
+          role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+          role-session-name: S2nQuicGHAS3Session
+          aws-region: us-west-2
 
       - name: Upload results
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
@@ -556,9 +565,9 @@ jobs:
       - uses: aws-actions/configure-aws-credentials@v4.0.2
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-west-1
+          role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+          role-session-name: S2nQuicGHAS3Session
+          aws-region: us-west-2
 
       - name: Upload results
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 64e2fd3a4..42ea238bf 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,6 +14,10 @@ on:
 
 name: release
 
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read  # This is required for actions/checkout
+
 jobs:
   qns:
     runs-on: ubuntu-latest
@@ -41,13 +45,18 @@ jobs:
           fi
           echo "tags=${TAGS}" >> $GITHUB_OUTPUT
 
-      - name: Login to Amazon Elastic Container Registry Public
-        uses: docker/login-action@v3.3.0
+      - uses: aws-actions/configure-aws-credentials@v4.0.2
+        with:
+          role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCEcrRole
+          role-session-name: S2nQuicGHAECRSession
+          aws-region: us-east-1   # Required for ECR
+
+      - name: Login to Amazon ECR Public
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
+        id: login-ecr-public
+        uses: aws-actions/amazon-ecr-login@v2
         with:
-          registry: public.ecr.aws
-          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          registry-type: public
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3.3.0