diff --git a/.github/actions/build-sign-publish-chainlink/action.yml b/.github/actions/build-sign-publish-chainlink/action.yml
index 924a9e04d14..3ec8226eb52 100644
--- a/.github/actions/build-sign-publish-chainlink/action.yml
+++ b/.github/actions/build-sign-publish-chainlink/action.yml
@@ -19,12 +19,6 @@ inputs:
       Eg. Public ECR repo `chainlink` and registry alias `chainlinklabs` should be `chainlinklabs/chainlink`. For a private ECR repo `chainlink` the image name should be `chainlink`
     default: chainlink/chainlink
     required: false
-  aws-access-key-id:
-    description: The IAM access key used to authenticate to ECR, used in configuring docker/login-action. Omit this and aws-secret-access-key to attempt OIDC authentication
-    required: false
-  aws-secret-access-key:
-    description: The IAM access key secret used to authenticate to ECR, used in configuring docker/login-action. Omit this and aws-secret-access-key to attempt OIDC authentication
-    required: false
   aws-role-to-assume:
     description: The AWS role to assume as the CD user, if any. Used in configuring the docker/login-action
     required: false
@@ -92,12 +86,10 @@ runs:
       echo "EOF" >> $GITHUB_ENV
 
   - if: inputs.publish == 'true'
-    # Log in to AWS for publish to ECR, OIDC auth will be attempted instead if both access-key fields are empty
+    # Log in to AWS for publish to ECR
     name: Configure AWS Credentials
     uses: aws-actions/configure-aws-credentials@ea7b857d8a33dc2fb4ef5a724500044281b49a5e # v1.6.0
     with:
-      aws-access-key-id: ${{ inputs.aws-access-key-id }}
-      aws-secret-access-key: ${{ inputs.aws-secret-access-key }}
       role-to-assume: ${{ inputs.aws-role-to-assume }}
       role-duration-seconds: ${{ inputs.aws-role-duration-seconds }}
       aws-region: ${{ inputs.aws-region }}
diff --git a/.github/workflows/build-publish.yml b/.github/workflows/build-publish.yml
index 88a41201146..68edbd47de2 100644
--- a/.github/workflows/build-publish.yml
+++ b/.github/workflows/build-publish.yml
@@ -12,6 +12,9 @@ jobs:
   build-sign-publish-chainlink:
     runs-on: ubuntu-20.04
     environment: build-publish
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
@@ -20,9 +23,7 @@ jobs:
         uses: ./.github/actions/build-sign-publish-chainlink
         with:
           publish: true
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          aws-role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }}
           aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }}
           aws-region: ${{ secrets.AWS_REGION }}
           sign-images: true
diff --git a/.github/workflows/performance-tests.yml b/.github/workflows/performance-tests.yml
index feb490f2cac..40181aff2ac 100644
--- a/.github/workflows/performance-tests.yml
+++ b/.github/workflows/performance-tests.yml
@@ -10,6 +10,9 @@ on:
 jobs:
   build-chainlink:
     environment: integration
+    permissions:
+      id-token: write
+      contents: read
     name: Build Chainlink Image
     runs-on: ubuntu-latest
     steps:
@@ -18,10 +21,8 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v1
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: ${{ secrets.AWS_REGION }}
-          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          aws-region: ${{ secrets.QA_AWS_REGION }}
+          role-to-assume: ${{ secrets.QA_AWS_ROLE_TO_ASSUME }}
           role-duration-seconds: 3600
       - name: Login to Amazon ECR
         id: login-ecr
@@ -46,7 +47,7 @@ jobs:
       - name: Checkout the repo
         uses: actions/checkout@v2
       - name: Run Tests
-        uses: smartcontractkit/ctf-ci-e2e-action@v1.0.2
+        uses: smartcontractkit/ctf-ci-e2e-action@41848377703354a32d355d3f2f7cb3b9e3049b8c
         with:
           test_command_to_run: make test_perf args="--procs=10 --focus=${{ github.event.inputs.focus }}"
           test_download_vendor_packages_command: make gomod
@@ -55,11 +56,9 @@ jobs:
           cl_image_tag: latest.${{ github.sha }}
           artifacts_location: ./integration-tests/performance/logs
           publish_report_paths: ./tests-perf-report.xml
-          QA_AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          QA_AWS_SECRET_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          QA_AWS_REGION: ${{ secrets.AWS_REGION }}
-          QA_AWS_ROLE_TO_ASSUME: ${{ secrets.AWS_ROLE_TO_ASSUME }}
-          QA_KUBECONFIG: ${{ secrets.KUBECONFIG }}
+          QA_AWS_REGION: ${{ secrets.QA_AWS_REGION }}
+          QA_AWS_ROLE_TO_ASSUME: ${{ secrets.QA_AWS_ROLE_TO_ASSUME }}
+          QA_KUBECONFIG: ${{ secrets.QA_KUBECONFIG }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Publish pprof artifacts
         if: ${{ success() }}