GitHub Actions google-github-actions/auth WIF "unable to generate credentials"
google-github-actions/auth could not exchange the GitHub OIDC token for Google credentials. The job is missing id-token: write, the workload_identity_provider is wrong, or the provider attribute condition does not match the token claims.
What this error means
The auth step fails with "unable to generate credentials" or a permission-denied from the STS token exchange. Later gcloud/SDK calls then fail because no Google credentials were produced.
Error: google-github-actions/auth failed with: failed to generate Google Cloud
federated token: {"error":"unauthorized_client", ...}Common causes
Missing id-token permission
Federation needs the GitHub OIDC token, which requires permissions: id-token: write on the job. Without it the OIDC request fails and no token can be exchanged.
Wrong provider or unmatched attribute condition
The workload_identity_provider full resource name must be exact, and the provider attribute condition (for example on repository or ref) must match the OIDC claims, or Google rejects the exchange.
How to fix it
Request the OIDC token and pass the provider
permissions:
id-token: write
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: google-github-actions/auth@v2
with:
workload_identity_provider: projects/123/locations/global/workloadIdentityPools/gh/providers/gh-provider
service_account: ci@project.iam.gserviceaccount.comAlign the provider attribute condition
- Confirm the provider resource name matches exactly (project number, pool, provider id).
- Ensure the attribute condition (e.g. assertion.repository) matches your repo/ref claims.
- Verify the service account allows the pool principal to impersonate it.
How to prevent it
- Always set id-token: write for federated cloud auth jobs.
- Keep the provider attribute condition in sync with the repos/refs you allow.
- Pin the exact provider resource name and service account.