Linux Error1 Fix Available

GitHub Actions: OIDC Token Exchange Failure

Error: OIDC Token Exchange failed. Could not verify identity with AWS/Azure/GCP.

What does this error mean?

OIDC (OpenID Connect) is the modern way to authenticate GitHub Actions with cloud providers without using long-lived secrets. A failure usually means the 'permissions' block in your YAML is missing or the Identity Provider (IdP) trust relationship is misconfigured.

Common Causes

Missing 'id-token: write' permission in the workflow YAML
Audience (aud) mismatch between GitHub and the cloud provider
Trust policy on AWS/GCP restricted to the wrong repo/branch

How to Fix It (1 Solution)

Add permissions block

Ensure your workflow file explicitly requests the id-token permission.

Code

permissions:
  id-token: write
  contents: read

Technical Deep Dive

In 2026, long-lived AWS keys are considered a security liability. OIDC allows GitHub to issue a short-lived JWT that cloud providers can verify natively. When this fails, it's almost always a 'silent' error in the IAM trust relationship. Check your Subject (sub) claim—it must exactly match the GitHub repository and branch/environment pattern.

Related Errors

Linux

bash: Permission denied

View fix

Linux

bash: Permission denied

View fix

Browse all error fixes