Skip to content
Latchkey

GitHub Actions "Unable to get ACTIONS_ID_TOKEN_REQUEST_URL"

The OIDC token endpoint variables ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN are only injected when the job grants id-token: write. Without it, any action that mints an OIDC token fails immediately.

What this error means

A cloud-login or attestation step fails before contacting the provider, complaining the ID token request URL is empty or undefined.

github-actions
Error: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable
Error: Could not load OIDC token. Ensure the workflow has 'id-token: write' permission.

Common causes

Missing id-token: write permission

The default GITHUB_TOKEN permissions do not include id-token. Without an explicit grant the OIDC env vars are never set.

Top-level permissions restrict the job

A top-level permissions block that lists other scopes but omits id-token overrides the default and leaves OIDC off.

How to fix it

Grant id-token: write on the job

  1. Add a permissions block with id-token: write at the job (or workflow) level.
  2. Keep contents: read so checkout still works after you narrow permissions.
  3. Re-run; the OIDC env vars are now present for the cloud-login action.
.github/workflows/deploy.yml
jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
          aws-region: us-east-1

How to prevent it

  • Set id-token: write explicitly on any job that assumes a cloud role via OIDC.
  • When you lock down top-level permissions, re-add id-token on jobs that need it.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →