Skip to content
Latchkey

GitHub Actions configure-aws-credentials "Could not load credentials" (OIDC)

OIDC role assumption needs the workflow to mint an id-token and an IAM role whose trust policy accepts the GitHub OIDC provider and the exact subject. A missing id-token permission or a mismatched trust condition fails the assume-role.

What this error means

A configure-aws-credentials step using role-to-assume fails to load credentials, sometimes citing AssumeRoleWithWebIdentity or a missing token.

github-actions
Error: Could not load credentials from any providers
Error: Not authorized to perform sts:AssumeRoleWithWebIdentity

Common causes

Missing id-token: write permission

Without permissions: id-token: write the workflow cannot mint the OIDC token, so the action has nothing to exchange.

Trust policy subject/audience mismatch

The IAM role trust policy must match the repo/branch sub and the sts.amazonaws.com audience; a mismatch is rejected.

How to fix it

Grant id-token and align the trust policy

  1. Add permissions: id-token: write (and contents: read) to the job.
  2. Set the role trust policy condition on token.actions.githubusercontent.com:sub to your repo/branch.
  3. Pass role-to-assume and aws-region; omit static keys.
.github/workflows/ci.yml
permissions:
  id-token: write
  contents: read
steps:
  - uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: arn:aws:iam::123456789012:role/gha
      aws-region: us-east-1

How to prevent it

  • Always set id-token: write for OIDC jobs.
  • Scope the trust policy sub condition to the exact repo and ref.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →