GitHub Actions "Unable to get ACTIONS_ID_TOKEN_REQUEST_URL"
The OIDC token endpoint variables ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN are only injected when the job grants id-token: write. Without it, any action that mints an OIDC token fails immediately.
What this error means
A cloud-login or attestation step fails before contacting the provider, complaining the ID token request URL is empty or undefined.
github-actions
Error: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable
Error: Could not load OIDC token. Ensure the workflow has 'id-token: write' permission.Common causes
Missing id-token: write permission
The default GITHUB_TOKEN permissions do not include id-token. Without an explicit grant the OIDC env vars are never set.
Top-level permissions restrict the job
A top-level permissions block that lists other scopes but omits id-token overrides the default and leaves OIDC off.
How to fix it
Grant id-token: write on the job
- Add a permissions block with id-token: write at the job (or workflow) level.
- Keep contents: read so checkout still works after you narrow permissions.
- Re-run; the OIDC env vars are now present for the cloud-login action.
.github/workflows/deploy.yml
jobs:
deploy:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1How to prevent it
- Set id-token: write explicitly on any job that assumes a cloud role via OIDC.
- When you lock down top-level permissions, re-add id-token on jobs that need it.
Related guides
GitHub Actions OIDC "Not authorized to perform sts:AssumeRoleWithWebIdentity"Fix the AWS OIDC error "Not authorized to perform sts:AssumeRoleWithWebIdentity" - the IAM role trust policy…
GitHub Actions OIDC "No OpenIDConnect provider found"Fix the AWS OIDC error "No OpenIDConnect provider found" - the GitHub IAM identity provider is missing or has…
GitHub Actions "id-token permission not propagated to reusable workflow"Fix OIDC failures when calling a reusable workflow - id-token: write must be granted on the calling job, not…