Skip to content
Latchkey

GitHub Actions OIDC "Failed to get ID token"

A step asked GitHub for an OIDC ID token and the request failed. The usual cause is that the job never granted id-token: write (so the token endpoint is unavailable), but it can also be a transient failure of the token endpoint itself.

What this error means

A step that requests an OIDC token (cloud login, attestation, or a custom getIDToken call) fails with "Failed to get ID token" or a related OIDC request error, before any cloud credentials are exchanged.

github-actions
Error: Failed to get ID token: Error message: Unable to get
ACTIONS_ID_TOKEN_REQUEST_URL env variable
Error: Could not fetch an OIDC token from the GitHub provider.

Common causes

Missing id-token: write permission

Without permissions: id-token: write on the job (or workflow), GitHub does not expose the OIDC request URL/token to the runner, so any token request fails immediately.

Default-permissions or org policy restricts the token

A restrictive default GITHUB_TOKEN permission set or an org/enterprise policy can withhold the id-token scope even when the workflow looks correct.

Transient OIDC token-endpoint failure

Occasionally the request to the GitHub OIDC token endpoint times out or returns a 5xx mid-job even though permissions are correct; the next attempt usually succeeds.

How to fix it

Grant id-token: write on the job

Add the id-token: write permission so GitHub exposes the OIDC request URL and token to the runner. Keep contents read unless the job needs more.

.github/workflows/deploy.yml
permissions:
  id-token: write
  contents: read
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789012:role/ci
          aws-region: us-east-1

Confirm org/enterprise policy allows the id-token scope

  1. Check that the org default workflow permissions are not blocking id-token.
  2. For reusable workflows, set id-token: write on the calling job so it propagates.
  3. Re-run after the permission is in place.

Retry a transient token-endpoint failure

  1. If permissions are correct and the failure is intermittent, re-run the job.
  2. For scripted token requests, wrap getIDToken in a short retry with backoff.

How to prevent it

  • Set permissions: id-token: write explicitly on any job that uses OIDC.
  • Keep org default permissions and reusable-workflow propagation in mind so the scope is never silently dropped.
  • On Latchkey managed runners, transient OIDC token-endpoint timeouts and 5xx responses are retried automatically, so a one-off token-request blip does not fail the run.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →