diff --git a/.github/workflows/generate-openapi.yml b/.github/workflows/generate-openapi.yml
index 5d24ef4d60..a59ab7ac3c 100644
--- a/.github/workflows/generate-openapi.yml
+++ b/.github/workflows/generate-openapi.yml
@@ -21,11 +21,8 @@ on:
     secrets: # all secrets are passed explicitly in this workflow
       api_bot_pat:
         required: true
-      aws_access_key_id:
+      aws_s3_role_to_assume:
         required: true
-      aws_secret_access_key:
-        required: true
-      
 
 permissions:
   contents: write
@@ -61,11 +58,14 @@ jobs:
       - name: Add permissions to execute scripts
         run: |
           chmod +x release-scripts/*.sh  
+      - name: aws configure
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.aws_s3_role_to_assume }}
+          aws-region: ${{inputs.aws_default_region}}
       - name: Retrieve Specs
         env:
           AWS_DEFAULT_REGION: ${{inputs.aws_default_region}}
-          AWS_ACCESS_KEY_ID: ${{ secrets.aws_access_key_id }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.aws_secret_access_key }}
           S3_BUCKET: ${{ inputs.aws_s3_bucket }}
         run: ./release-scripts/download_specs.sh
       - name: Generate Federated Spec
diff --git a/.github/workflows/release-changelog.yml b/.github/workflows/release-changelog.yml
index c560c7be63..4b3c864b7e 100644
--- a/.github/workflows/release-changelog.yml
+++ b/.github/workflows/release-changelog.yml
@@ -25,9 +25,7 @@ on:
     secrets: # all secrets are passed explicitly in this workflow
       api_bot_pat:
         required: true
-      aws_access_key_id:
-        required: true
-      aws_secret_access_key:
+      aws_s3_role_to_assume:
         required: true
       
 permissions:
@@ -89,11 +87,14 @@ jobs:
         - name: Add permissions to execute scripts
           run: |
             chmod +x release-scripts/*.sh
+        - name: aws configure
+          uses: aws-actions/configure-aws-credentials@v4
+          with:
+            role-to-assume: ${{ secrets.aws_s3_role_to_assume }}
+            aws-region: ${{inputs.aws_default_region}}
         - name: Generate Changelog
           env:
             AWS_DEFAULT_REGION: ${{inputs.aws_default_region}}
-            AWS_ACCESS_KEY_ID: ${{ secrets.aws_access_key_id }}
-            AWS_SECRET_ACCESS_KEY: ${{ secrets.aws_secret_access_key }}
             S3_BUCKET: ${{ inputs.aws_s3_bucket }}
           run: ./release-scripts/generate_changelog.sh
         - name: Upload revision and base folders for debugging
diff --git a/.github/workflows/release-spec-runner.yml b/.github/workflows/release-spec-runner.yml
index a74ed3d571..c9a68d4b51 100644
--- a/.github/workflows/release-spec-runner.yml
+++ b/.github/workflows/release-spec-runner.yml
@@ -50,8 +50,7 @@ jobs:
     uses: ./.github/workflows/release-spec.yml
     secrets:
       api_bot_pat: ${{ secrets.API_BOT_PAT }}
-      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_DEV }}
-      aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_DEV }}
+      aws_s3_role_to_assume: ${{ secrets.aws_s3_role_to_assume }}
       jira_api_token: ${{ secrets.JIRA_API_TOKEN }}
     with:
       aws_default_region: ${{ vars.AWS_DEFAULT_REGION}}
@@ -68,8 +67,7 @@ jobs:
     uses: ./.github/workflows/release-spec.yml
     secrets:
         api_bot_pat: ${{ secrets.API_BOT_PAT }}
-        aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_QA }}
-        aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_QA }}
+        aws_s3_role_to_assume: ${{ secrets.aws_s3_role_to_assume }}
         jira_api_token: ${{ secrets.JIRA_API_TOKEN }}
     with:
         aws_default_region: ${{ vars.AWS_DEFAULT_REGION}}
@@ -86,8 +84,7 @@ jobs:
     uses: ./.github/workflows/release-spec.yml
     secrets:
         api_bot_pat: ${{ secrets.API_BOT_PAT }}
-        aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_STAGING }}
-        aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_STAGING }}
+        aws_s3_role_to_assume: ${{ secrets.aws_s3_role_to_assume }}
         jira_api_token: ${{ secrets.JIRA_API_TOKEN }}
     with:
         aws_default_region: ${{ vars.AWS_DEFAULT_REGION}}
@@ -104,8 +101,7 @@ jobs:
     uses: ./.github/workflows/release-spec.yml
     secrets:
         api_bot_pat: ${{ secrets.API_BOT_PAT }}
-        aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_PROD }}
-        aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_PROD }}
+        aws_s3_role_to_assume: ${{ secrets.aws_s3_role_to_assume }}
         postman_api_key: ${{ secrets.POSTMAN_API_KEY }}
         workspace_id: ${{ secrets.WORKSPACE_ID }}
         jira_api_token: ${{ secrets.JIRA_API_TOKEN }}
@@ -125,8 +121,7 @@ jobs:
     uses: ./.github/workflows/release-spec-v1.yml
     secrets:
       api_bot_pat: ${{ secrets.API_BOT_PAT }}
-      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_PROD }}
-      aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_PROD }}
+      aws_s3_role_to_assume: ${{ secrets.aws_s3_role_to_assume }}
       mms_deployed_sha_url: ${{ secrets.MMS_DEPLOYED_SHA_URL_PROD }}
     with:
       aws_default_region: ${{ vars.AWS_DEFAULT_REGION}}
diff --git a/.github/workflows/release-spec-v1.yml b/.github/workflows/release-spec-v1.yml
index bb60887d85..f30e0a05e6 100644
--- a/.github/workflows/release-spec-v1.yml
+++ b/.github/workflows/release-spec-v1.yml
@@ -21,9 +21,7 @@ on:
     secrets: # all secrets are passed explicitly in this workflow
       api_bot_pat:
         required: true
-      aws_access_key_id:
-        required: true
-      aws_secret_access_key:
+      aws_s3_role_to_assume:
         required: true
       mms_deployed_sha_url:
         required: true
@@ -37,11 +35,14 @@ jobs:
     name: Release OpenAPI Spec for V1 (DEPRECATED) APIs
     runs-on: ubuntu-latest
     steps:
+      - name: aws configure
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.aws_s3_role_to_assume }}
+          aws-region: ${{inputs.aws_default_region}}
       - name: Download v1 Spec
         env:
           AWS_DEFAULT_REGION: ${{inputs.aws_default_region}}
-          AWS_ACCESS_KEY_ID: ${{ secrets.aws_access_key_id }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.aws_secret_access_key }}
           S3_BUCKET: ${{ inputs.aws_s3_bucket }}
           MMS_DEPLOYED_SHA_URL: ${{secrets.mms_deployed_sha_url}}
         run: |
diff --git a/.github/workflows/release-spec.yml b/.github/workflows/release-spec.yml
index b30ec8aae5..21b9f1625c 100644
--- a/.github/workflows/release-spec.yml
+++ b/.github/workflows/release-spec.yml
@@ -33,16 +33,14 @@ on:
     secrets: # all secrets are passed explicitly in this workflow
       api_bot_pat:
         required: true
-      aws_access_key_id:
-        required: true
-      aws_secret_access_key:
-        required: true
       postman_api_key:
         required: false
       workspace_id:
         required: false
       jira_api_token:
         required: true
+      aws_s3_role_to_assume:
+        required: true
 
 permissions:
   contents: write
@@ -54,8 +52,7 @@ jobs:
     uses: ./.github/workflows/generate-openapi.yml
     secrets:
       api_bot_pat: ${{ secrets.api_bot_pat }}
-      aws_access_key_id: ${{ secrets.aws_access_key_id }}
-      aws_secret_access_key: ${{ secrets.aws_secret_access_key }}
+      aws_s3_role_to_assume: ${{ secrets.aws_s3_role_to_assume }}
     with:
       aws_default_region: ${{ inputs.aws_default_region}}
       aws_s3_bucket: ${{ inputs.aws_s3_bucket}}
@@ -170,8 +167,7 @@ jobs:
     uses: ./.github/workflows/release-changelog.yml
     secrets:
         api_bot_pat: ${{ secrets.api_bot_pat }}
-        aws_access_key_id: ${{ secrets.aws_access_key_id }}
-        aws_secret_access_key: ${{ secrets.aws_secret_access_key }}
+        aws_s3_role_to_assume: ${{ secrets.aws_s3_role_to_assume }}
     with:
         aws_default_region: ${{ inputs.aws_default_region}}
         aws_s3_bucket: ${{ inputs.aws_s3_bucket}}