diff --git a/API.md b/API.md
index 70ea3a67..ecbd48cf 100644
--- a/API.md
+++ b/API.md
@@ -1956,14 +1956,31 @@ const gitHubActionRoleProps: GitHubActionRoleProps = { ... }
| **Name** | **Type** | **Description** |
| --- | --- | --- |
-| repos | string[] | A list of GitHub repositories you want to be able to access the IAM role. |
| provider | aws-cdk-lib.aws_iam.IOpenIdConnectProvider | The GitHub OpenId Connect Provider. Must have provider url `https://token.actions.githubusercontent.com`. The audience must be `sts:amazonaws.com`. |
+| repos | string[] | A list of GitHub repositories you want to be able to access the IAM role. |
| roleName | string | The name of the Oidc role. |
+| subjectClaims | string[] | A list of subject claims allowed to access the IAM role. |
| thumbprints | string[] | Thumbprints of GitHub's certificates. |
---
-##### `repos`Required
+##### `provider`Optional
+
+```typescript
+public readonly provider: IOpenIdConnectProvider;
+```
+
+- *Type:* aws-cdk-lib.aws_iam.IOpenIdConnectProvider
+- *Default:* a provider is created for you.
+
+The GitHub OpenId Connect Provider. Must have provider url `https://token.actions.githubusercontent.com`. The audience must be `sts:amazonaws.com`.
+
+Only one such provider can be defined per account, so if you already
+have a provider with the same url, a new provider cannot be created for you.
+
+---
+
+##### `repos`Optional
```typescript
public readonly repos: string[];
@@ -1975,37 +1992,40 @@ A list of GitHub repositories you want to be able to access the IAM role.
Each entry should be your GitHub username and repository passed in as a
single string.
+An entry `owner/repo` is equivalent to the subjectClaim `repo:owner/repo:*`.
For example, `['owner/repo1', 'owner/repo2'].
---
-##### `provider`Optional
+##### `roleName`Optional
```typescript
-public readonly provider: IOpenIdConnectProvider;
+public readonly roleName: string;
```
-- *Type:* aws-cdk-lib.aws_iam.IOpenIdConnectProvider
-- *Default:* a provider is created for you.
-
-The GitHub OpenId Connect Provider. Must have provider url `https://token.actions.githubusercontent.com`. The audience must be `sts:amazonaws.com`.
+- *Type:* string
+- *Default:* 'GitHubActionRole'
-Only one such provider can be defined per account, so if you already
-have a provider with the same url, a new provider cannot be created for you.
+The name of the Oidc role.
---
-##### `roleName`Optional
+##### `subjectClaims`Optional
```typescript
-public readonly roleName: string;
+public readonly subjectClaims: string[];
```
-- *Type:* string
-- *Default:* 'GitHubActionRole'
+- *Type:* string[]
-The name of the Oidc role.
+A list of subject claims allowed to access the IAM role.
+
+See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
+A subject claim can include `*` and `?` wildcards according to the `StringLike`
+condition operator.
+
+For example, `['repo:owner/repo1:ref:refs/heads/branch1', 'repo:owner/repo1:environment:prod']`
---