Skip to content
Latchkey

Vault JWT/OIDC "role could not be found" (GitHub Actions) in CI

The GitHub Actions OIDC login sent a role name that the Vault jwt auth mount does not have. Vault cannot map the request to any configured role, so it rejects the login before checking claims.

What this error means

A vault write auth/jwt/login role=... jwt=... call fails with "Code: 400 ... * role \"github-actions\" could not be found".

vault
Error writing data to auth/jwt/login: Error making API request.

URL: PUT https://vault.example.com/v1/auth/jwt/login
Code: 400. Errors:

* role "github-actions" could not be found

Common causes

The role name does not exist on the mount

The login references role=github-actions but no such role was created under auth/jwt/role/, so Vault has nothing to match.

The auth method is mounted at a different path

The jwt/oidc method is enabled at a non-default path (like auth/gha), so a login against auth/jwt finds no role.

How to fix it

Create the role on the correct mount

  1. Confirm the jwt mount path with vault auth list.
  2. Create the role with bound claims for your repo and a policy.
  3. Log in using that exact role name and mount.
Terminal
vault write auth/jwt/role/github-actions \
  role_type="jwt" user_claim="sub" \
  bound_audiences="https://github.com/my-org" \
  bound_claims='{"repository":"my-org/my-repo"}' \
  token_policies="ci-read" token_ttl=15m

Reference the right mount path

If the method is at auth/gha, log in there, not auth/jwt.

Terminal
vault write auth/gha/login role=github-actions jwt="$ACTIONS_ID_TOKEN"

How to prevent it

  • Keep the role name in CI identical to the configured Vault role.
  • Document the jwt mount path so logins target it correctly.
  • Verify roles with vault list auth/jwt/role before relying on them.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →