Skip to content
Latchkey

OIDC "Not authorized to perform sts:AssumeRoleWithWebIdentity" in CI

AWS STS received your OIDC token but the role trust policy did not match it. The token authenticated, yet its sub (repo:owner/repo:ref) is not allowed by the role's condition, so STS denies AssumeRoleWithWebIdentity.

What this error means

configure-aws-credentials fails with "Error: Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity". The credentials reach STS but the trust policy rejects the subject.

.github/workflows/ci.yml
Error: Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity

Common causes

The trust policy sub condition does not match the workflow

The role's token.actions.githubusercontent.com:sub condition lists a different repo, branch, tag, or environment than the one running, so STS rejects the token.

The OIDC provider is not registered for the audience

The IAM identity provider exists but its thumbprint or audience does not align with the token, so no statement allows the assume call.

How to fix it

Match the trust policy sub to the running ref

  1. Read the exact sub claim by decoding the token, or use repo:owner/repo:ref:refs/heads/main.
  2. Set the trust policy StringLike condition to allow that subject.
  3. Re-run the job so STS evaluates the corrected condition.
IAM trust policy
"Condition": {
  "StringLike": {
    "token.actions.githubusercontent.com:sub": "repo:my-org/my-repo:ref:refs/heads/main"
  },
  "StringEquals": {
    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
  }
}

Confirm the role-to-assume and region

Pass the correct role ARN and region to the action so STS evaluates the intended role's trust policy.

.github/workflows/ci.yml
- uses: aws-actions/configure-aws-credentials@v4
  with:
    role-to-assume: arn:aws:iam::123456789012:role/gha-deploy
    aws-region: us-east-1

How to prevent it

  • Scope the trust policy sub to the exact repo and ref you deploy from.
  • Decode the OIDC token once to confirm the real sub/aud values.
  • Keep the IAM provider audience set to sts.amazonaws.com.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →