OIDC AWS "InvalidIdentityToken" in CI
STS received a token but could not validate it for the role's identity provider. The token may be expired, malformed, or issued for an audience the IAM provider does not list, so AssumeRoleWithWebIdentity returns InvalidIdentityToken.
What this error means
AWS login fails with "An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation". The provider exists but the token is not accepted.
An error occurred (InvalidIdentityToken) when calling the
AssumeRoleWithWebIdentity operation: Incorrect token audienceCommon causes
The token audience is not registered on the provider
The IAM OIDC identity provider's client ID (audience) list does not include the audience the token carries, so STS rejects it.
A stale or manually passed token
Reusing a cached or hand-built token that has expired or been altered makes STS treat it as invalid.
How to fix it
Add the correct audience to the IAM provider
- Confirm the audience the action requests (default
sts.amazonaws.com). - Add that value as a client ID on the IAM OIDC provider.
- Re-run so STS finds a matching audience.
aws iam create-open-id-connect-provider \
--url https://token.actions.githubusercontent.com \
--client-id-list sts.amazonaws.comLet the action mint a fresh token
Use configure-aws-credentials to request a new token each run instead of reusing a stored one.
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/gha-deploy
aws-region: eu-west-1How to prevent it
- Register
sts.amazonaws.comas a client ID on the IAM provider. - Never reuse OIDC tokens across runs; mint fresh each time.
- Keep the provider URL exactly
token.actions.githubusercontent.com.