diff --git a/.github/workflows/cleanup-stale-schemas.yml b/.github/workflows/cleanup-stale-schemas.yml
index 0f3a6e158..f651cb892 100644
--- a/.github/workflows/cleanup-stale-schemas.yml
+++ b/.github/workflows/cleanup-stale-schemas.yml
@@ -20,6 +20,9 @@ env:
 jobs:
   cleanup:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     strategy:
       fail-fast: false
       matrix:
@@ -30,6 +33,13 @@ jobs:
           - databricks_catalog
           - athena
     steps:
+      - name: Configure AWS credentials
+        if: matrix.warehouse-type == 'athena'
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+          aws-region: eu-west-1
+
       - name: Checkout dbt package
         uses: actions/checkout@v6
         with:
diff --git a/.github/workflows/test-all-warehouses.yml b/.github/workflows/test-all-warehouses.yml
index 034807d3f..4c1d04403 100644
--- a/.github/workflows/test-all-warehouses.yml
+++ b/.github/workflows/test-all-warehouses.yml
@@ -86,13 +86,17 @@ jobs:
 
   test:
     needs: [check-fork-status, approve-fork]
+    permissions:
+      contents: read
+      # Required so the called test-warehouse.yml can mint an OIDC token to
+      # assume the AWS role; per GitHub, id-token: write must be granted by
+      # the calling workflow.
+      id-token: write
     if: |
       ! cancelled() &&
       needs.check-fork-status.result == 'success' &&
       needs.check-fork-status.outputs.should_skip != 'true' &&
       (needs.check-fork-status.outputs.is_fork != 'true' || needs.approve-fork.result == 'success')
-    permissions:
-      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -127,3 +131,4 @@ jobs:
       CI_WAREHOUSE_SECRETS: ${{ secrets.CI_WAREHOUSE_SECRETS }}
       CI_SLACK_WEBHOOK: ${{ secrets.CI_SLACK_WEBHOOK }}
       CI_SLACK_TOKEN: ${{ secrets.CI_SLACK_TOKEN }}
+      AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
diff --git a/.github/workflows/test-release.yml b/.github/workflows/test-release.yml
index 03a9bd431..676143d1b 100644
--- a/.github/workflows/test-release.yml
+++ b/.github/workflows/test-release.yml
@@ -43,6 +43,12 @@ jobs:
           echo "dbt bumped: ${{ steps.bump-tag.outputs.dbt-bumped }}"
 
   validate-upgrade-cli:
+    permissions:
+      contents: read
+      # Required so the called test-warehouse.yml can mint an OIDC token to
+      # assume the AWS role; per GitHub, id-token: write must be granted by
+      # the calling workflow.
+      id-token: write
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/test-warehouse.yml b/.github/workflows/test-warehouse.yml
index 9254b4f4d..26158e9f3 100644
--- a/.github/workflows/test-warehouse.yml
+++ b/.github/workflows/test-warehouse.yml
@@ -64,6 +64,8 @@ on:
         required: true
       CI_SLACK_TOKEN:
         required: true
+      AWS_OIDC_ROLE_ARN:
+        required: true
 
 permissions: {}
 
@@ -80,6 +82,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      id-token: write
     defaults:
       run:
         working-directory: elementary
@@ -95,6 +98,12 @@ jobs:
           path: elementary
           ref: ${{ inputs.elementary-ref }}
 
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+          aws-region: eu-west-1
+
       - name: Checkout dbt package
         uses: actions/checkout@v6
         with:
@@ -443,12 +452,9 @@ jobs:
           --slack-file-name "report_${{ inputs.warehouse-type }}_${{ env.BRANCH_NAME }}.html"
           --slack-token "$SLACK_TOKEN"
           --slack-channel-name oss-ci-tests
-          # TODO: Implement OIDC for s3 testing
-          # --bucket-file-path "ci_reports/report_${{ inputs.warehouse-type }}_${{ env.BRANCH_NAME }}.html"
-          # --aws-access-key-id "$AWS_ACCESS_KEY_ID"
-          # --aws-secret-access-key "$AWS_SECRET_ACCESS_KEY"
-          # --s3-bucket-name elementary-ci-artifacts
-          # --update-bucket-website true
+          --bucket-file-path "ci_reports/report_${{ inputs.warehouse-type }}_${{ env.BRANCH_NAME }}.html"
+          --s3-bucket-name elementary-ci-artifacts
+          --update-bucket-website true
 
       - name: Set artifact name
         id: set_artifact_name
diff --git a/tests/e2e_dbt_project/snapshots/failed_snapshot.sql b/tests/e2e_dbt_project/snapshots/failed_snapshot.sql
index 0c92e6afa..47550fcff 100644
--- a/tests/e2e_dbt_project/snapshots/failed_snapshot.sql
+++ b/tests/e2e_dbt_project/snapshots/failed_snapshot.sql
@@ -1,8 +1,9 @@
 {% snapshot failed_snapshot() %}
 
+{# target_schema is required by dbt; reuse target.schema so this lands in the per-run CI schema. #}
 {{
     config(
-      target_schema='snapshots',
+      target_schema=target.schema,
       unique_key='unique_id',
       strategy='timestamp',
       updated_at='generated_at',
diff --git a/tests/profiles/profiles.yml.j2 b/tests/profiles/profiles.yml.j2
index 0ea3a7257..32167402f 100644
--- a/tests/profiles/profiles.yml.j2
+++ b/tests/profiles/profiles.yml.j2
@@ -149,8 +149,7 @@ elementary_tests:
       region_name: {{ athena_region | toyaml }}
       database: awsdatacatalog
       schema: {{ schema_name }}
-      aws_access_key_id: {{ athena_aws_access_key_id | toyaml }}
-      aws_secret_access_key: {{ athena_aws_secret_access_key | toyaml }}
+      work_group: oss_tests
       threads: 4
 
 # The internal CLI dbt_project uses profile "elementary", so we alias the