Skip to content
Latchkey

GitHub Actions OIDC Token Subject Mismatch on Environment Deploys

An OIDC cloud-role assumption fails because the trust policy is scoped to a deployment environment (sub contains environment:prod), but the job either has no environment: block or runs under a different environment, so the token subject does not match.

What this error means

A job that assumes a cloud role via OIDC is denied (e.g. STS "Not authorized to perform sts:AssumeRoleWithWebIdentity") because the token's sub claim does not match the environment the trust policy requires.

Actions log
Error: Could not assume role with OIDC: Not authorized to perform
sts:AssumeRoleWithWebIdentity
# trust policy expects sub: repo:org/repo:environment:production

Common causes

Job not scoped to the expected environment

When the cloud trust policy pins the sub to repo:owner/repo:environment:<name>, the job must declare that environment: block or its OIDC subject will not match.

Subject claim format mismatch

The trust condition must match the actual sub format (branch ref vs environment vs pull_request). A mismatch between the configured condition and the run context denies the assume.

How to fix it

Declare the environment and id-token permission

Add the environment: block the trust policy expects, and grant id-token: write so the OIDC token is issued.

.github/workflows/deploy.yml
permissions:
  id-token: write
  contents: read
jobs:
  deploy:
    runs-on: ubuntu-latest
    environment: production   # makes sub include environment:production
    steps:
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789012:role/deploy
          aws-region: us-east-1

Align the trust condition with the run

  1. Match the cloud trust sub condition to the real claim (environment:<name>, ref:refs/heads/main, etc.).
  2. Use the correct environment name in both the trust policy and the job.
  3. Confirm id-token: write is granted so a token is even issued.

How to prevent it

  • Keep the cloud trust sub condition in sync with the job's environment/ref.
  • Always grant id-token: write for OIDC jobs.
  • Scope roles to specific environments for least privilege.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →