diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d149fcc1..ce534998 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -67,17 +67,22 @@ jobs:
       DEVELOPER_DIR: /Applications/Xcode.app
       XCODE_DESTINATION: 'OS X'
       NSUnbufferedIO: YES
+      BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.MOBILEPROVISION_BASE64 }}
+      KEYCHAIN_PASSWORD: ${{ secrets.TEST_KEYCHAIN_PASSWORD }}
+      CI_TEST_SECRET_MANAGER_ROLE: arn:aws:iam::976188456881:role/CI_TEST_SECRET_MANAGER_ACCESS
     steps:
       - name: Build ${{ env.PACKAGE_NAME }} + consumers
         run: |
           python3 -c "from urllib.request import urlretrieve; urlretrieve('${{ env.BUILDER_HOST }}/${{ env.BUILDER_SOURCE }}/${{ env.BUILDER_VERSION }}/builder.pyz?run=${{ env.RUN }}', 'builder')"
           chmod a+x builder
           ./builder build -p ${{ env.PACKAGE_NAME }}
+
+      - name: configure AWS credentials (PubSub)
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ env.CI_TEST_SECRET_MANAGER_ROLE }}
+          aws-region: us-east-1
       - name: Install the Apple certificate and provisioning profile
-        env:
-          BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.MOBILEPROVISION_BASE64 }}
-          KEYCHAIN_PASSWORD: ${{ secrets.TEST_KEYCHAIN_PASSWORD }}
-          CI_TEST_SECRET_MANAGER_ROLE: arn:aws:iam::976188456881:role/CI_TEST_SECRET_MANAGER_ACCESS
         run: |
           CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
           PP_PATH=$RUNNER_TEMP/shoppingmacdev.mobileprovision