Skip to content
Latchkey

GitHub Actions google-github-actions/auth workload identity audience error

google-github-actions/auth federates the GitHub OIDC token into Google Cloud via Workload Identity Federation. The provider must accept the token audience and the attribute condition must match the repository, or the exchange is denied.

What this error means

An auth step using workload_identity_provider fails acquiring credentials, citing audience, attribute condition, or the id-token permission.

github-actions
Error: google-github-actions/auth failed with: failed to generate Google Cloud
federated token for //iam.googleapis.com/projects/.../providers/github:
the audience in the ID token does not match

Common causes

Audience mismatch or missing id-token permission

The provider expects a specific audience and the job needs id-token: write to mint a token with it.

Attribute condition rejects the repo

The WIF provider attribute-condition (e.g. assertion.repository) does not match the calling repository.

How to fix it

Align audience, permission, and attribute condition

  1. Add permissions: id-token: write.
  2. Set workload_identity_provider and service_account to the configured WIF resources.
  3. Make the provider attribute-condition match your repository/owner.
.github/workflows/ci.yml
permissions:
  id-token: write
steps:
  - uses: google-github-actions/auth@v2
    with:
      workload_identity_provider: projects/123/locations/global/workloadIdentityPools/gh/providers/github
      service_account: ci@project.iam.gserviceaccount.com

How to prevent it

  • Set id-token: write for every GCP OIDC job.
  • Keep the WIF attribute condition scoped to your repo/owner.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →