Skip to content
Latchkey

GitHub Actions OIDC id-token Missing in a Reusable Workflow

A cloud login that relies on OIDC fails inside a reusable workflow because id-token: write was not granted by the caller, or the called workflow narrowed permissions below what the OIDC step needs.

What this error means

The OIDC token request fails with a permission error when the login step runs in a called workflow, even though the same step works in a standalone workflow.

Actions log
Error: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable
# the caller did not grant id-token: write to the reusable workflow

Common causes

Caller did not grant id-token: write

Permissions for a reusable workflow are bounded by the caller. If the calling job does not grant id-token: write, the called workflow cannot request an OIDC token.

Called workflow narrowed permissions

A permissions block inside the called workflow can only reduce, never expand. Omitting id-token there (or setting it to none) blocks the OIDC step.

How to fix it

Grant id-token: write in the caller

.github/workflows/release.yml
# caller
jobs:
  deploy:
    permissions:
      id-token: write
      contents: read
    uses: ./.github/workflows/cloud-deploy.yml

Keep id-token in the called workflow scope

  1. Ensure the called workflow does not drop id-token from its permissions.
  2. Remember the effective permission is the intersection of caller and callee.
  3. Verify the cloud trust policy accepts the called-workflow subject claim.

How to prevent it

  • Grant id-token: write at the caller job that uses a reusable OIDC workflow.
  • Do not narrow id-token away inside the reusable workflow.
  • Confirm the OIDC subject claim matches your cloud trust policy.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →