Skip to content
Latchkey

OIDC AWS "InvalidIdentityToken" in CI

STS received a token but could not validate it for the role's identity provider. The token may be expired, malformed, or issued for an audience the IAM provider does not list, so AssumeRoleWithWebIdentity returns InvalidIdentityToken.

What this error means

AWS login fails with "An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation". The provider exists but the token is not accepted.

Terminal
An error occurred (InvalidIdentityToken) when calling the
AssumeRoleWithWebIdentity operation: Incorrect token audience

Common causes

The token audience is not registered on the provider

The IAM OIDC identity provider's client ID (audience) list does not include the audience the token carries, so STS rejects it.

A stale or manually passed token

Reusing a cached or hand-built token that has expired or been altered makes STS treat it as invalid.

How to fix it

Add the correct audience to the IAM provider

  1. Confirm the audience the action requests (default sts.amazonaws.com).
  2. Add that value as a client ID on the IAM OIDC provider.
  3. Re-run so STS finds a matching audience.
Terminal
aws iam create-open-id-connect-provider \
  --url https://token.actions.githubusercontent.com \
  --client-id-list sts.amazonaws.com

Let the action mint a fresh token

Use configure-aws-credentials to request a new token each run instead of reusing a stored one.

.github/workflows/ci.yml
- uses: aws-actions/configure-aws-credentials@v4
  with:
    role-to-assume: arn:aws:iam::123456789012:role/gha-deploy
    aws-region: eu-west-1

How to prevent it

  • Register sts.amazonaws.com as a client ID on the IAM provider.
  • Never reuse OIDC tokens across runs; mint fresh each time.
  • Keep the provider URL exactly token.actions.githubusercontent.com.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →