diff --git a/.github/workflows/deploy-stg.yml b/.github/workflows/deploy-stg.yml
index cc74e46..ff5378a 100644
--- a/.github/workflows/deploy-stg.yml
+++ b/.github/workflows/deploy-stg.yml
@@ -6,6 +6,10 @@ on:
       - master
   workflow_dispatch:
 
+permissions:
+  contents: read
+  id-token: write
+  
 jobs:
   deploy:
     name: Deploy
@@ -23,8 +27,8 @@ jobs:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.STG_AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.STG_AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AVRAE_GITHUB_OIDC_ROLE_ARN }}
+          role-session-name: "avrae-service-deploy-stg"
           aws-region: ${{ env.REGION }}
 
       - name: Login to Amazon ECR