Vault JWT/OIDC "role could not be found" (GitHub Actions) in CI
The GitHub Actions OIDC login sent a role name that the Vault jwt auth mount does not have. Vault cannot map the request to any configured role, so it rejects the login before checking claims.
What this error means
A vault write auth/jwt/login role=... jwt=... call fails with "Code: 400 ... * role \"github-actions\" could not be found".
vault
Error writing data to auth/jwt/login: Error making API request.
URL: PUT https://vault.example.com/v1/auth/jwt/login
Code: 400. Errors:
* role "github-actions" could not be foundCommon causes
The role name does not exist on the mount
The login references role=github-actions but no such role was created under auth/jwt/role/, so Vault has nothing to match.
The auth method is mounted at a different path
The jwt/oidc method is enabled at a non-default path (like auth/gha), so a login against auth/jwt finds no role.
How to fix it
Create the role on the correct mount
- Confirm the jwt mount path with
vault auth list. - Create the role with bound claims for your repo and a policy.
- Log in using that exact role name and mount.
Terminal
vault write auth/jwt/role/github-actions \
role_type="jwt" user_claim="sub" \
bound_audiences="https://github.com/my-org" \
bound_claims='{"repository":"my-org/my-repo"}' \
token_policies="ci-read" token_ttl=15mReference the right mount path
If the method is at auth/gha, log in there, not auth/jwt.
Terminal
vault write auth/gha/login role=github-actions jwt="$ACTIONS_ID_TOKEN"How to prevent it
- Keep the role name in CI identical to the configured Vault role.
- Document the jwt mount path so logins target it correctly.
- Verify roles with
vault list auth/jwt/rolebefore relying on them.
Related guides
Vault JWT/OIDC "claim ... does not match" (bound_claims) in CIFix Vault JWT/OIDC "claim does not match associated bound claim" in CI - the GitHub OIDC token subject or rep…
Vault JWT/OIDC "invalid audience" (bound_audiences) in CIFix Vault JWT/OIDC "invalid audience" in CI - the aud claim in the GitHub OIDC token does not match the role…
Vault "Error making API request ... Code: 403" in CIFix Vault "Error making API request ... Code: 403" in CI - the token authenticated but is not authorized for…