GitHub Actions OIDC "Unable to get ACTIONS_ID_TOKEN_REQUEST_URL"
An OIDC-based login (AWS, GCP, Azure, Vault) failed because the job cannot mint an OIDC token. The id-token: write permission is required and was not granted.
What this error means
A cloud-auth step using OIDC fails with "Unable to get ACTIONS_ID_TOKEN_REQUEST_URL", before any cloud call. Static-credential logins are unaffected; only the keyless OIDC path breaks.
Error: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable
# the job has no id-token permission, so no OIDC token can be requestedCommon causes
Missing id-token: write permission
Requesting an OIDC token requires the job to declare permissions: id-token: write. Without it, the token request URL is never set.
Trust policy or audience mismatch
Even with the token, the cloud trust policy must allow the repository, branch, and audience claims. A mismatch there fails on the cloud side instead.
How to fix it
Grant id-token: write
Add the id-token write permission (plus contents: read) to the job that does the OIDC login.
permissions:
id-token: write
contents: read
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/ci
aws-region: us-east-1Align the cloud trust policy
- Configure the IdP/role trust to allow token.actions.githubusercontent.com.
- Match the sub claim to your repo and branch/environment condition.
- Set the audience to the value the cloud expects (often sts.amazonaws.com for AWS).
How to prevent it
- Add id-token: write to every job that uses OIDC cloud auth.
- Scope cloud trust policies tightly to specific repos, branches, or environments.
- Prefer OIDC over long-lived static cloud credentials in CI.