403
policy
auth_error
ai_generated
partial
错误:请求OIDC令牌失败:403禁止。该工作流不允许为此组织请求OIDC令牌
Error: Failed to request OIDC token: 403 Forbidden. The workflow is not allowed to request an OIDC token for this organization
ID: policy/github-actions-oidc-token-403-forbidden
85%修复率
88%置信度
1证据数
2024-01-10首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| GitHub Actions runner 2.315.0 | active | — | — | — |
| GitHub Enterprise Server 3.10 | active | — | — | — |
| GitHub REST API 2022-11-28 | active | — | — | — |
根因分析
GitHub Actions OIDC令牌请求被组织级别或仓库级别设置阻止,这些设置限制了哪些工作流可以请求用于云提供商认证的令牌。
English
GitHub Actions OIDC token requests are blocked by organization-level or repository-level settings that restrict which workflows can request tokens for cloud provider authentication.
官方文档
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers解决方案
-
前往组织设置 > Actions > General > Permissions,确保启用'允许GitHub Actions创建和批准拉取请求'。然后在'OIDC Token'设置下将工作流的仓库添加到允许列表中。
-
如果使用GitHub Enterprise,检查仓库的'Actions secrets and variables'设置,确保选中'允许此仓库的OIDC令牌'选项。对于组织级别,运行:gh api -X PATCH /orgs/ORG/settings/actions -f 'allowed_actions=all'
-
配置云提供商的信任策略以接受来自特定仓库和分支的令牌。对于AWS,更新IAM OIDC身份提供者的信任策略,包含正确的'sub'声明:"Condition": {"StringEquals": {"token.actions.githubusercontent.com:sub": "repo:org/repo:ref:refs/heads/main"}}
无效尝试
常见但无效的做法:
-
100% 失败
The issue is a policy restriction, not a transient token error; re-running will hit the same 403.
-
60% 失败
This bypasses the security benefit of OIDC and may violate compliance policies; also not a fix for the error.
-
90% 失败
Restrictions are based on repository or organization settings, not branch or event names.