OIDC fails because permissions id-token: write is missing in CI
OIDC cloud login needs the workflow to declare id-token: write. Without it the runner is not allowed to request an OIDC token, so every AWS/GCP/Azure login that relies on OIDC fails before contacting the cloud.
What this error means
A login step fails immediately with an OIDC token error, and the workflow has no id-token: write under permissions, or sets only contents: read.
Error: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable. Ensure
this job has permission: id-token: write.Common causes
No permissions block grants id-token
GitHub defaults id-token to none. Unless the workflow or job explicitly grants id-token: write, the OIDC token request is refused.
A narrower job permissions block drops id-token
Declaring permissions at job level replaces the whole map; if id-token is not listed there, it is removed for that job.
How to fix it
Declare id-token: write explicitly
- Add
id-token: writeto the workflow or the specific job. - List every other scope you still need, since the block is exhaustive.
- Re-run and confirm the login step now receives a token.
permissions:
id-token: write
contents: readKeep the grant minimal and scoped
Grant id-token only on jobs that authenticate to a cloud, not workflow-wide, to limit token issuance.
jobs:
deploy:
permissions:
id-token: write
contents: readHow to prevent it
- Add
id-token: writewhenever a job uses OIDC cloud login. - Treat a job-level
permissionsblock as a full replacement, not a merge. - Scope id-token to the deploy job only.