diff --git a/.github/workflows/deploy-auth-api.yml b/.github/workflows/deploy-auth-api.yml
index 73fc48ab1e..73084000d2 100644
--- a/.github/workflows/deploy-auth-api.yml
+++ b/.github/workflows/deploy-auth-api.yml
@@ -6,17 +6,22 @@ env:
   AUTH_API_CLUSTER: shared-cluster
   AUTH_API_SERVICE: auth-api
 
+# Required for IDP JWT and actions/checkout
+permissions:
+      id-token: write
+      contents: read
+   
 jobs:
   deploy:
     name: Deploy latest stable image
     environment: shared
     runs-on: ubuntu-latest
     steps:
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1.7.0
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_KEY }}
+          role-to-assume: ${{ vars.AWS_ASSUME_ROLE_ARN }}
+          role-session-name: GitHub_to_AWS_via_FederatedOIDC
           aws-region: us-east-1
       - name: Trigger ECS Deploy
         run: |
diff --git a/.github/workflows/deploy-module-index.yml b/.github/workflows/deploy-module-index.yml
index 2345276e7a..28237f7030 100644
--- a/.github/workflows/deploy-module-index.yml
+++ b/.github/workflows/deploy-module-index.yml
@@ -6,6 +6,11 @@ env:
   MODULE_INDEX_CLUSTER: shared-cluster
   MODULE_INDEX_SERVICE: module-index
 
+# Required for IDP JWT and actions/checkout
+permissions:
+      id-token: write
+      contents: read
+
 jobs:
   deploy:
     name: Deploy latest stable image
diff --git a/.github/workflows/down-service.yml b/.github/workflows/down-service.yml
index a62ebff711..18bef154f6 100644
--- a/.github/workflows/down-service.yml
+++ b/.github/workflows/down-service.yml
@@ -2,6 +2,11 @@ name: Bring Down Service
 
 run-name: Bringing ${{ inputs.service }} down
 
+# Required for IDP JWT and actions/checkout
+permissions:
+      id-token: write
+      contents: read
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/instance-refresh.yml b/.github/workflows/instance-refresh.yml
index af1f92cfe0..429ca11907 100644
--- a/.github/workflows/instance-refresh.yml
+++ b/.github/workflows/instance-refresh.yml
@@ -2,6 +2,11 @@ name: Instance refresh
 
 run-name: Replacing instances for ${{ inputs.service }}
 
+# Required for IDP JWT and actions/checkout
+permissions:
+      id-token: write
+      contents: read
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/invoke-and-check-invalidations.yml b/.github/workflows/invoke-and-check-invalidations.yml
index d09f31c5b6..502f8a2733 100644
--- a/.github/workflows/invoke-and-check-invalidations.yml
+++ b/.github/workflows/invoke-and-check-invalidations.yml
@@ -2,6 +2,11 @@ name: Instigate & Check CDN State
 
 run-name: Instigate & Check CDN State for ${{ inputs.environment }} 
 
+# Required for IDP JWT and actions/checkout
+permissions:
+      id-token: write
+      contents: read
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/migrate-sdf.yml b/.github/workflows/migrate-sdf.yml
index 42c9f17aff..186c17751d 100644
--- a/.github/workflows/migrate-sdf.yml
+++ b/.github/workflows/migrate-sdf.yml
@@ -1,5 +1,10 @@
 name: Migrate SDF
 
+# Required for IDP JWT and actions/checkout
+permissions:
+      id-token: write
+      contents: read
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/set-maintenance-mode.yml b/.github/workflows/set-maintenance-mode.yml
index ec96a3f9c8..751387f2d5 100644
--- a/.github/workflows/set-maintenance-mode.yml
+++ b/.github/workflows/set-maintenance-mode.yml
@@ -1,5 +1,10 @@
 name: Set maintenance mode
 
+# Required for IDP JWT and actions/checkout
+permissions:
+      id-token: write
+      contents: read
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/set-service-version.yml b/.github/workflows/set-service-version.yml
index 6de16d2849..e0616464f9 100644
--- a/.github/workflows/set-service-version.yml
+++ b/.github/workflows/set-service-version.yml
@@ -2,6 +2,11 @@ name: Set Service Version
 
 run-name: Setting ${{ inputs.service }} to version {{ inputs.version }} for {{ inputs.environment }}
 
+# Required for IDP JWT and actions/checkout
+permissions:
+      id-token: write
+      contents: read
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/up-service.yml b/.github/workflows/up-service.yml
index aa3aec495e..520f8cc12e 100644
--- a/.github/workflows/up-service.yml
+++ b/.github/workflows/up-service.yml
@@ -2,6 +2,11 @@ name: Bring Up Service
 
 run-name: Bringing ${{ inputs.service }} up
 
+# Required for IDP JWT and actions/checkout
+permissions:
+      id-token: write
+      contents: read
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/upgrade-service.yml b/.github/workflows/upgrade-service.yml
index 3c9a999171..6926f128ca 100644
--- a/.github/workflows/upgrade-service.yml
+++ b/.github/workflows/upgrade-service.yml
@@ -2,6 +2,11 @@ name: Upgrade Service
 
 run-name: Upgrading ${{ inputs.service }}
 
+# Required for IDP JWT and actions/checkout
+permissions:
+      id-token: write
+      contents: read
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/upgrade-web.yml b/.github/workflows/upgrade-web.yml
index 37c3306196..0dfb52d7ab 100644
--- a/.github/workflows/upgrade-web.yml
+++ b/.github/workflows/upgrade-web.yml
@@ -1,5 +1,10 @@
 name: Upgrade web
 
+# Required for IDP JWT and actions/checkout
+permissions:
+      id-token: write
+      contents: read
+
 on:
   workflow_call:
     inputs: