OIDC "Not authorized to perform sts:AssumeRoleWithWebIdentity" in CI
AWS STS received your OIDC token but the role trust policy did not match it. The token authenticated, yet its sub (repo:owner/repo:ref) is not allowed by the role's condition, so STS denies AssumeRoleWithWebIdentity.
What this error means
configure-aws-credentials fails with "Error: Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity". The credentials reach STS but the trust policy rejects the subject.
Error: Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentityCommon causes
The trust policy sub condition does not match the workflow
The role's token.actions.githubusercontent.com:sub condition lists a different repo, branch, tag, or environment than the one running, so STS rejects the token.
The OIDC provider is not registered for the audience
The IAM identity provider exists but its thumbprint or audience does not align with the token, so no statement allows the assume call.
How to fix it
Match the trust policy sub to the running ref
- Read the exact
subclaim by decoding the token, or userepo:owner/repo:ref:refs/heads/main. - Set the trust policy
StringLikecondition to allow that subject. - Re-run the job so STS evaluates the corrected condition.
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:my-org/my-repo:ref:refs/heads/main"
},
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
}
}Confirm the role-to-assume and region
Pass the correct role ARN and region to the action so STS evaluates the intended role's trust policy.
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/gha-deploy
aws-region: us-east-1How to prevent it
- Scope the trust policy
subto the exact repo and ref you deploy from. - Decode the OIDC token once to confirm the real
sub/audvalues. - Keep the IAM provider audience set to
sts.amazonaws.com.