Skip to content
Latchkey

GitHub Actions OIDC "Unable to get ACTIONS_ID_TOKEN_REQUEST_URL"

An OIDC-based login (AWS, GCP, Azure, Vault) failed because the job cannot mint an OIDC token. The id-token: write permission is required and was not granted.

What this error means

A cloud-auth step using OIDC fails with "Unable to get ACTIONS_ID_TOKEN_REQUEST_URL", before any cloud call. Static-credential logins are unaffected; only the keyless OIDC path breaks.

Actions log
Error: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable
# the job has no id-token permission, so no OIDC token can be requested

Common causes

Missing id-token: write permission

Requesting an OIDC token requires the job to declare permissions: id-token: write. Without it, the token request URL is never set.

Trust policy or audience mismatch

Even with the token, the cloud trust policy must allow the repository, branch, and audience claims. A mismatch there fails on the cloud side instead.

How to fix it

Grant id-token: write

Add the id-token write permission (plus contents: read) to the job that does the OIDC login.

.github/workflows/deploy.yml
permissions:
  id-token: write
  contents: read
steps:
  - uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: arn:aws:iam::123456789012:role/ci
      aws-region: us-east-1

Align the cloud trust policy

  1. Configure the IdP/role trust to allow token.actions.githubusercontent.com.
  2. Match the sub claim to your repo and branch/environment condition.
  3. Set the audience to the value the cloud expects (often sts.amazonaws.com for AWS).

How to prevent it

  • Add id-token: write to every job that uses OIDC cloud auth.
  • Scope cloud trust policies tightly to specific repos, branches, or environments.
  • Prefer OIDC over long-lived static cloud credentials in CI.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →