Skip to content
Latchkey

OIDC fails because permissions id-token: write is missing in CI

OIDC cloud login needs the workflow to declare id-token: write. Without it the runner is not allowed to request an OIDC token, so every AWS/GCP/Azure login that relies on OIDC fails before contacting the cloud.

What this error means

A login step fails immediately with an OIDC token error, and the workflow has no id-token: write under permissions, or sets only contents: read.

.github/workflows/ci.yml
Error: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable. Ensure
this job has permission: id-token: write.

Common causes

No permissions block grants id-token

GitHub defaults id-token to none. Unless the workflow or job explicitly grants id-token: write, the OIDC token request is refused.

A narrower job permissions block drops id-token

Declaring permissions at job level replaces the whole map; if id-token is not listed there, it is removed for that job.

How to fix it

Declare id-token: write explicitly

  1. Add id-token: write to the workflow or the specific job.
  2. List every other scope you still need, since the block is exhaustive.
  3. Re-run and confirm the login step now receives a token.
.github/workflows/ci.yml
permissions:
  id-token: write
  contents: read

Keep the grant minimal and scoped

Grant id-token only on jobs that authenticate to a cloud, not workflow-wide, to limit token issuance.

.github/workflows/ci.yml
jobs:
  deploy:
    permissions:
      id-token: write
      contents: read

How to prevent it

  • Add id-token: write whenever a job uses OIDC cloud login.
  • Treat a job-level permissions block as a full replacement, not a merge.
  • Scope id-token to the deploy job only.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →