403
policy
auth_error
ai_generated
partial
Error: Failed to request OIDC token: 403 Forbidden. The workflow is not allowed to request an OIDC token for this organization
ID: policy/github-actions-oidc-token-403-forbidden
85%Fix Rate
88%Confidence
1Evidence
2024-01-10First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| GitHub Actions runner 2.315.0 | active | — | — | — |
| GitHub Enterprise Server 3.10 | active | — | — | — |
| GitHub REST API 2022-11-28 | active | — | — | — |
Root Cause
GitHub Actions OIDC token requests are blocked by organization-level or repository-level settings that restrict which workflows can request tokens for cloud provider authentication.
generic中文
GitHub Actions OIDC令牌请求被组织级别或仓库级别设置阻止,这些设置限制了哪些工作流可以请求用于云提供商认证的令牌。
Official Documentation
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providersWorkarounds
-
85% success Go to organization settings > Actions > General > Permissions, and ensure 'Allow GitHub Actions to create and approve pull requests' is enabled. Then add the workflow's repository to the allowed list for OIDC token requests under 'OIDC Token' settings.
Go to organization settings > Actions > General > Permissions, and ensure 'Allow GitHub Actions to create and approve pull requests' is enabled. Then add the workflow's repository to the allowed list for OIDC token requests under 'OIDC Token' settings.
-
80% success If using GitHub Enterprise, check the repository's 'Actions secrets and variables' settings and verify that the 'Allow OIDC token for this repository' option is checked. For organization-level, run: gh api -X PATCH /orgs/ORG/settings/actions -f 'allowed_actions=all'
If using GitHub Enterprise, check the repository's 'Actions secrets and variables' settings and verify that the 'Allow OIDC token for this repository' option is checked. For organization-level, run: gh api -X PATCH /orgs/ORG/settings/actions -f 'allowed_actions=all'
-
75% success Configure the cloud provider's trust policy to accept tokens from the specific repository and branch. For AWS, update the IAM OIDC identity provider's trust policy to include the correct 'sub' claim: "Condition": {"StringEquals": {"token.actions.githubusercontent.com:sub": "repo:org/repo:ref:refs/heads/main"}}
Configure the cloud provider's trust policy to accept tokens from the specific repository and branch. For AWS, update the IAM OIDC identity provider's trust policy to include the correct 'sub' claim: "Condition": {"StringEquals": {"token.actions.githubusercontent.com:sub": "repo:org/repo:ref:refs/heads/main"}}
中文步骤
前往组织设置 > Actions > General > Permissions,确保启用'允许GitHub Actions创建和批准拉取请求'。然后在'OIDC Token'设置下将工作流的仓库添加到允许列表中。
如果使用GitHub Enterprise,检查仓库的'Actions secrets and variables'设置,确保选中'允许此仓库的OIDC令牌'选项。对于组织级别,运行:gh api -X PATCH /orgs/ORG/settings/actions -f 'allowed_actions=all'
配置云提供商的信任策略以接受来自特定仓库和分支的令牌。对于AWS,更新IAM OIDC身份提供者的信任策略,包含正确的'sub'声明:"Condition": {"StringEquals": {"token.actions.githubusercontent.com:sub": "repo:org/repo:ref:refs/heads/main"}}
Dead Ends
Common approaches that don't work:
-
100% fail
The issue is a policy restriction, not a transient token error; re-running will hit the same 403.
-
60% fail
This bypasses the security benefit of OIDC and may violate compliance policies; also not a fix for the error.
-
90% fail
Restrictions are based on repository or organization settings, not branch or event names.