Skip to content
Latchkey

GitHub Actions OIDC "No OpenIDConnect provider found"

STS cannot validate the web identity because the cloud account has no IAM OIDC provider for token.actions.githubusercontent.com (or it points at the wrong URL/thumbprint). This is one-time account setup, not a runner problem.

What this error means

The cloud-login step fails reporting the OpenIDConnect provider is unknown, even though id-token: write is granted and the token mints correctly on the GitHub side.

github-actions
Error: Could not assume role with OIDC: No OpenIDConnect provider found in your account
for https://token.actions.githubusercontent.com

Common causes

OIDC provider never created

The IAM identity provider for GitHub Actions was never added to the AWS account, so STS has no issuer to trust.

Provider URL or thumbprint mismatch

An existing provider uses a different URL or a stale thumbprint and does not match the issuer in the token.

How to fix it

Create the GitHub OIDC identity provider

  1. In IAM, add an OpenID Connect provider with URL https://token.actions.githubusercontent.com.
  2. Set the audience to sts.amazonaws.com.
  3. Reference the provider ARN in the role trust policy, then re-run the workflow.
AWS CLI (one-time setup)
aws iam create-open-id-connect-provider \
  --url https://token.actions.githubusercontent.com \
  --client-id-list sts.amazonaws.com

How to prevent it

  • Provision the OIDC provider in Terraform/IaC so every account that deploys from Actions has it.
  • Use the issuer URL exactly; modern STS validates the cert chain so manual thumbprints are no longer required.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →