Skip to content
Latchkey

act OIDC "id-token" not available running Actions locally

GitHub OIDC issues short-lived id-tokens from a GitHub-hosted endpoint. act runs outside GitHub and has no such issuer, so permissions: id-token: write and cloud logins that rely on OIDC cannot get a token locally.

What this error means

A step (often a cloud login) fails with "Unable to get ACTIONS_ID_TOKEN_REQUEST_URL" or "OIDC token could not be requested" under act.

act
Error: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable
Error: Could not fetch an OIDC token from the GitHub provider

Common causes

No GitHub OIDC issuer locally

The OIDC request URL and token are provided by GitHub-hosted infrastructure that act does not replicate.

A step depends on federated cloud login

Actions that exchange an OIDC token for cloud credentials have nothing to exchange when run under act.

How to fix it

Use static credentials for local runs

Provide a scoped access key as a local secret instead of OIDC when testing with act.

Terminal
act -s AWS_ACCESS_KEY_ID=... -s AWS_SECRET_ACCESS_KEY=... -j deploy

Skip OIDC-only steps locally

Guard cloud-login steps so they run on GitHub but are skipped under act.

.github/workflows/ci.yml
- name: Cloud login (OIDC)
  if: ${{ !env.ACT }}
  uses: aws-actions/configure-aws-credentials@v4

How to prevent it

  • Do not rely on OIDC for steps you intend to test with act.
  • Gate OIDC-only steps with if: !env.ACT.
  • Use static, least-privilege credentials for local runs only.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →