diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 08aa4dd1..e87908e3 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -9,6 +9,9 @@ on:
     types: [rsconnect_python_latest]
 env:
   DOCKER_TTY_FLAGS: ''
+permissions:
+  id-token: write
+  contents: write
 jobs:
   test:
     strategy:
@@ -123,8 +126,7 @@ jobs:
     - if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') && (contains(github.ref, 'b') == false)
       uses: aws-actions/configure-aws-credentials@v1
       with:
-        aws-access-key-id: ${{ secrets.DOCS_AWS_ID }}
-        aws-secret-access-key: ${{ secrets.DOCS_AWS_SECRET }}
+        role-to-assume: ${{ secrets.DOCS_AWS_ROLE }}
         aws-region: us-east-1
     - if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') && (contains(github.ref, 'b') == false)
       run: make promote-docs-in-s3