GitHub Actions to cache aws auth in each workflow run, then reuse in jobs. Workaround for https://github.com/aws-actions/configure-aws-credentials/issues/299.

aws_oidc-auth_workflow.yaml

name: aws oidc credential with cache

on:
  workflow_dispatch:
  push:
    branches: ["main"]
  pull_request:
    branches: ["main"]

# github.job = job name
# github.run_id = unique id for workflow. re-run will use same id.
# github.run_attempt = incremented id for workflow. re-run will increment value.

env:
  cache-key: GitHubActions-auth-${{ github.run_id }}-${{ github.run_attempt }}

jobs:
  # auth aws only once a workflow
  auth-aws:
    permissions:
      contents: write
      id-token: write
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Configure AWS Credentials
        uses: ./.github/actions/aws_oidc_auth
        with:
          aws-region: ap-northeast-1
          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
          role-session-name: GitHubActions-${{ github.job }}-${{ github.run_id }}-${{ github.run_attempt }}
          cache-key: ${{ env.cache-key }}

  # even parallel use, aws auth will use cache.
  # make sure OS is same as cached runner.
  use-auth:
    needs: [auth-aws]
    strategy:
      matrix:
        name: ["a", "b", "c", "d", "e", "f", "g"]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Configure AWS Credentials
        uses: ./.github/actions/restore_aws_oidc_auth
        with:
          cache-key: ${{ env.cache-key }}
      - name: get-caller-identity is allowed to run on role.
        run: aws sts get-caller-identity

local_action1.yaml

# .github/actions/aws_oidc_auth/action.yaml
name: aws oidc auth with cache
description: |
  Get aws oidc auth and cache it.
  This avoid AWS OIDC AssumeRoleWithWebIdentity parallel request issue.
  Error: Couldn't retrieve verification key from your identity provider,  please reference AssumeRoleWithWebIdentity documentation for requirements

  see: https://github.com/aws-actions/configure-aws-credentials/issues/299
inputs:
  aws-region:
    description: "AWS Region"
    required: true
  role-to-assume:
    description: "AWS IAM Role to assume"
    required: true
  role-session-name:
    description: "AWS IAM Role Session Name. Shown on CloudTrail"
    required: true
  cache-key:
    description: "cache key. you must set this key to restore cache."
    required: true
runs:
  using: "composite" # this is key point
  steps:
    - name: Configure AWS Credentials
      # must use "master", not "v1". v1 is not yet released to use latest role-to-assume.
      # Error: Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers
      uses: aws-actions/configure-aws-credentials@master
      with:
        aws-region: ${{ inputs.aws-region }}
        role-to-assume: ${{ inputs.role-to-assume }}
        role-session-name: ${{ inputs.role-session-name }}
        role-duration-seconds: 900 # minimum: 900sec, maximum: iam role session duration
    - name: gen auth file
      shell: bash
      run: |
        echo "::group::test auth is valid"
          aws sts get-caller-identity
        echo "::endgroup::"

        mkdir -p ~/.aws/${{ inputs.cache-key }}/
        echo "${{ env.AWS_ACCESS_KEY_ID }}" > ~/.aws/${{ inputs.cache-key }}/aws_access_key_id
        echo "${{ env.AWS_SECRET_ACCESS_KEY }}" > ~/.aws/${{ inputs.cache-key }}/aws_secret_access_key
        echo "${{ env.AWS_SESSION_TOKEN }}" > ~/.aws/${{ inputs.cache-key }}/aws_session_token
        echo "${{ env.AWS_REGION }}" > ~/.aws/${{ inputs.cache-key }}/region
        echo "${{ env.AWS_DEFAULT_REGION }}" > ~/.aws/${{ inputs.cache-key }}/default_region
    - name: Cache aws auth
      uses: actions/cache@v2
      with:
        path: |
          ~/.aws/${{ inputs.cache-key }}
        key: ${{ inputs.cache-key }}

local_action2.yaml

# .github/actions/restore_aws_oidc_auth/action.yaml
name: restore aws oidc auth from cache
description: |
  restore aws oidc auth from cache
inputs:
  cache-key:
    description: "cache key to restore"
    required: true
runs:
  using: "composite"
  steps:
    - name: Restore aws auth
      uses: actions/cache@v2
      id: cache-aws
      with:
        path: |
          ~/.aws/${{ inputs.cache-key }}
        key: ${{ inputs.cache-key }}
    - name: Is Cache Hit
      shell: bash
      run: echo "cache hit? ${{ steps.cache-aws.outputs.cache-hit }}"
    - name: Restore ENV
      run: |
        set -e
        AWS_ACCESS_KEY_ID=$(head -n 1 ~/.aws/${{ inputs.cache-key }}/aws_access_key_id)
        echo "::add-mask::${AWS_ACCESS_KEY_ID}"
        echo "AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}" >> "$GITHUB_ENV"
        AWS_ACCESS_KEY_ID=$(head -n 1 ~/.aws/${{ inputs.cache-key }}/aws_secret_access_key)
        echo "::add-mask::${AWS_ACCESS_KEY_ID}"
        echo "AWS_SECRET_ACCESS_KEY=${AWS_ACCESS_KEY_ID}" >> "$GITHUB_ENV"
        AWS_SESSION_TOKEN=$(head -n 1 ~/.aws/${{ inputs.cache-key }}/aws_session_token)
        echo "::add-mask::${AWS_SESSION_TOKEN}"
        echo "AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}" >> "$GITHUB_ENV"
        echo "AWS_REGION=$(head -n 1 ~/.aws/${{ inputs.cache-key }}/region)" >> "$GITHUB_ENV"
        echo "AWS_DEFAULT_REGION=$(head -n 1 ~/.aws/${{ inputs.cache-key }}/default_region)" >> "$GITHUB_ENV"
      shell: bash
    - name: test auth is valid
      run: aws sts get-caller-identity
      shell: bash

😄 awesome! Thank you 👍

Already fixed. You don't need this practice anymore.