diff --git a/.github/cloudformation/README.md b/.github/cloudformation/README.md
new file mode 100644
index 0000000..63d0bc6
--- /dev/null
+++ b/.github/cloudformation/README.md
@@ -0,0 +1,3 @@
+These are
+[AWS CloudFormation templates](https://aws.amazon.com/cloudformation/resources/templates/)
+for maintaining pypi and homebrew credentials used to publish the CBMC viewer.
diff --git a/.github/cloudformation/oidc.yaml b/.github/cloudformation/oidc.yaml
new file mode 100644
index 0000000..90f7770
--- /dev/null
+++ b/.github/cloudformation/oidc.yaml
@@ -0,0 +1,23 @@
+Description:
+  Register the GitHub identity provider with the AWS security token service.
+
+Resources:
+  GithubIdentityProvider:
+    Type: AWS::IAM::OIDCProvider
+    Properties:
+      Url:
+        # The GitHub identity provider supporting OIDC
+        https://token.actions.githubusercontent.com
+      ThumbprintList:
+        # The GitHub certification authority (the signature of its certificate)
+        - 6938fd4d98bab03faadb97b34396831e3780aea1
+      ClientIdList:
+        # The AWS security token service
+        - sts.amazonaws.com
+
+
+Outputs:
+  GithubIdentityProvider:
+    Value: !Ref GithubIdentityProvider
+    Export:
+      Name: GithubIdentityProvider
diff --git a/.github/cloudformation/token.yaml b/.github/cloudformation/token.yaml
new file mode 100644
index 0000000..c35cc62
--- /dev/null
+++ b/.github/cloudformation/token.yaml
@@ -0,0 +1,77 @@
+Description: >
+  Enable storage of access tokens in AWS Secrets Manager and access to the PAT
+  from the GitHub workflows in model-checking/cbmc-viewer.
+
+Parameters:
+  GithubRepoOrganization:
+    Type: String
+    Description: GitHub organization for the CBMC viewer
+    Default: model-checking
+  CbmcViewerRepoName:
+    Type: String
+    Description: GitHub repository for CBMC viewer
+    Default: cbmc-viewer
+  CbmcViewerPublicationTag:
+    Type: String
+    Description: GitHub tag for CBMC viewer triggering the GitHub publication workflow
+    Default: viewer-*
+
+Resources:
+
+  BrewBotEmail:
+    Type: AWS::SecretsManager::Secret
+    Properties:
+      Name: BOT_EMAIL
+      Description: >
+        The email address to use with Homebrew commits.
+
+  BrewToken:
+    Type: AWS::SecretsManager::Secret
+    Properties:
+      Name: RELEASE_CI_ACCESS_TOKEN
+      Description: >
+        GitHub access token.
+
+  PypiToken:
+    Type: AWS::SecretsManager::Secret
+    Properties:
+      Name: PYPI_ACCESS_TOKEN
+      Description: >
+        Pypi access token.
+
+  PublisherTokenReader:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: PublisherTokenReader
+      Description: >
+        This role can retrieve the personal access token for the model
+        checking publisher in the Microsoft Marketplace.
+
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Principal:
+              Federated: !ImportValue GithubIdentityProvider
+            Action: sts:AssumeRoleWithWebIdentity
+            Condition:
+              StringEquals:
+                token.actions.githubusercontent.com:aud: sts.amazonaws.com
+              StringLike:
+                token.actions.githubusercontent.com:sub:
+                  !Sub repo:${GithubRepoOrganization}/${CbmcViewerRepoName}:ref:refs/tags/${CbmcViewerPublicationTag}
+
+      Policies:
+        - PolicyName: PublisherTokenAccess
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action: secretsmanager:GetSecretValue
+                Resource: !Ref BrewBotEmail
+              - Effect: Allow
+                Action: secretsmanager:GetSecretValue
+                Resource: !Ref BrewToken
+              - Effect: Allow
+                Action: secretsmanager:GetSecretValue
+                Resource: !Ref PypiToken
diff --git a/.github/workflows/release-brew.yaml b/.github/workflows/release-brew.yaml
index 18c30ac..022156d 100644
--- a/.github/workflows/release-brew.yaml
+++ b/.github/workflows/release-brew.yaml
@@ -46,29 +46,37 @@ env:
   FORMULA: cbmc-viewer
   TAP: aws/tap
   BOT_USER: aws-viewer-for-cbmc-release-ci
-  BOT_EMAIL: ${{ secrets.BOT_EMAIL }}
-  BOT_TOKEN: ${{ secrets.RELEASE_CI_ACCESS_TOKEN }}
   RELEASE_TAG: ${GITHUB_REF/refs\/tags\/} # GITHUB_REF = refs/tags/STRING-MAJOR.MINOR
   VERSION: $(echo $GITHUB_REF | cut -d "/" -f 3 | cut -d "-" -f 2)
-  FORK_REPO: https://$BOT_TOKEN@github.com/$BOT_USER/homebrew-$(echo $TAP |cut -d "/" -f 2).git
+  AWS_ROLE: arn:aws:iam::${{secrets.AWS_ACCOUNT}}:role/PublisherTokenReader
+  AWS_REGION: us-west-2
 
 jobs:
   homebrew-pr:
     name: Homebrew Bump Formula PR
     runs-on: macos-latest
     steps:
+      - name: Authenticate GitHub workflow to AWS
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.AWS_ROLE }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Fetch secrets
+        run: |
+          echo "BOT_EMAIL=$(aws secretsmanager get-secret-value --secret-id BOT_EMAIL | jq -r '.SecretString')" >> $GITHUB_ENV
+          echo "HOMEBREW_GITHUB_API_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
+
       - name: Configure git user name and email
         run: |
           git config --global user.name ${{ env.BOT_USER }}
-          git config --global user.email ${{ env.BOT_EMAIL }}
+          git config --global user.email $BOT_EMAIL
 
       - name: Create homebrew PR
         run: |
           brew tap ${{ env.TAP }}
           brew update-reset
           brew bump-formula-pr --tag "${{ env.RELEASE_TAG }}" --revision "$GITHUB_SHA" ${{ env.TAP }}/${{ env.FORMULA }} --force
-        env:
-          HOMEBREW_GITHUB_API_TOKEN: ${{ env.BOT_TOKEN }}
 
   build-bottle:
     needs: homebrew-pr
@@ -81,12 +89,24 @@ jobs:
         id: set-up-homebrew
         uses: Homebrew/actions/setup-homebrew@master
 
+      - name: Authenticate GitHub workflow to AWS
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.AWS_ROLE }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Fetch secrets
+        run: |
+          echo "BOT_EMAIL=$(aws secretsmanager get-secret-value --secret-id BOT_EMAIL | jq -r '.SecretString')" >> $GITHUB_ENV
+          echo "HOMEBREW_GITHUB_API_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
+          echo "FORK_REPO=https://$HOMEBREW_GITHUB_API_TOKEN@github.com/$BOT_USER/homebrew-$(echo $TAP |cut -d / -f 2).git" >> $GITHUB_ENV
+
       - name: Checkout PR
         run: |
           brew tap ${{ env.TAP }}
           brew update-reset
           cd $(brew --repo ${{ env.TAP }})
-          git remote add fork-repo ${{ env.FORK_REPO }}
+          git remote add fork-repo $FORK_REPO
           git fetch fork-repo
           git checkout -B bump-${{ env.FORMULA }}-${{ env.VERSION }} fork-repo/bump-${{ env.FORMULA }}-${{ env.VERSION }}
 
@@ -136,17 +156,29 @@ jobs:
       with:
         name: bottles
 
+      - name: Authenticate GitHub workflow to AWS
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.AWS_ROLE }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Fetch secrets
+        run: |
+          echo "BOT_EMAIL=$(aws secretsmanager get-secret-value --secret-id BOT_EMAIL | jq -r '.SecretString')" >> $GITHUB_ENV
+          echo "HOMEBREW_GITHUB_API_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
+          echo "FORK_REPO=https://$HOMEBREW_GITHUB_API_TOKEN@github.com/$BOT_USER/homebrew-$(echo $TAP |cut -d / -f 2).git" >> $GITHUB_ENV
+
     - name: Configure git user name and email
       run: |
         git config --global user.name ${{ env.BOT_USER }}
-        git config --global user.email ${{ env.BOT_EMAIL }}
+        git config --global user.email BOT_EMAIL
 
     - name: Checkout PR
       run: |
         brew tap ${{ env.TAP }}
         brew update-reset
         cd $(brew --repo ${{ env.TAP }})
-        git remote add fork-repo ${{ env.FORK_REPO }}
+        git remote add fork-repo $FORK_REPO
         git fetch fork-repo
         git checkout -B bump-${{ env.FORMULA }}-${{ env.VERSION }} fork-repo/bump-${{ env.FORMULA }}-${{ env.VERSION }}
 
diff --git a/.github/workflows/release-pypi.yaml b/.github/workflows/release-pypi.yaml
index fdb18d5..adf3cee 100644
--- a/.github/workflows/release-pypi.yaml
+++ b/.github/workflows/release-pypi.yaml
@@ -3,6 +3,10 @@ on:
   release:
     types: [created]
 
+env:
+  AWS_ROLE: arn:aws:iam::${{secrets.AWS_ACCOUNT}}:role/PublisherTokenReader
+  AWS_REGION: us-west-2
+
 jobs:
   upload-to-pypi:
     name: Upload to PyPi
@@ -27,8 +31,15 @@ jobs:
           asset_path: dist/${{ steps.get_package_name.outputs.package_name }}
           asset_name: ${{ steps.get_package_name.outputs.package_name }}
           asset_content_type: application/zip
+      - name: Authenticate GitHub workflow to AWS
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.AWS_ROLE }}
+          aws-region: ${{ env.AWS_REGION }}
+      - name: Fetch secrets
+        run: |
+          echo "TWINE_PASSWORD=$(aws secretsmanager get-secret-value --secret-id PYPI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
       - name: Upload to PyPi
         env:
           TWINE_USERNAME: __token__
-          TWINE_PASSWORD: ${{ secrets.PYPI_ACCESS_TOKEN }}
         run: python3 -m twine upload dist/*
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 6056a82..aa21cb0 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -10,7 +10,7 @@ jobs:
     name: CBMC viewer release
     runs-on: ubuntu-20.04
     env:
-      GITHUB_TOKEN: ${{ secrets.RELEASE_CI_ACCESS_TOKEN }}
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v2