diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 9e2f12f..90c3c9e 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -5,6 +5,10 @@ on:
     types: [ published ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+  id-token: write
+  
 jobs:
   deploy:
     name: Deploy
@@ -22,8 +26,8 @@ jobs:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AVRAE_GITHUB_OIDC_ROLE_ARN }}
+          role-session-name: "avrae-service-deploy-live"
           aws-region: ${{ env.REGION }}
 
       - name: Login to Amazon ECR