403
policy
auth_error
ai_generated
true
Error: Failed to request OIDC token: 403 Forbidden. The workflow is not allowed to request an OIDC token for this organization.
ID: policy/github-actions-oidc-token-permission-denied
78%Fix Rate
87%Confidence
1Evidence
2024-01-20First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| GitHub Actions 2024-01 | active | — | — | — |
| GitHub Enterprise Server 3.12 | active | — | — | — |
Root Cause
GitHub Actions OIDC token request denied because the organization's OIDC trust policy does not allow the specific workflow or branch.
generic中文
GitHub Actions OIDC 令牌请求被拒绝,因为组织的 OIDC 信任策略不允许特定工作流或分支。
Official Documentation
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providersWorkarounds
-
85% success Update the OIDC trust policy in the GitHub organization settings to allow the specific repository and branch. Navigate to Settings > Organization > Security > OIDC Trust Policies and add a condition like 'repository:owner/repo:ref:refs/heads/main'.
Update the OIDC trust policy in the GitHub organization settings to allow the specific repository and branch. Navigate to Settings > Organization > Security > OIDC Trust Policies and add a condition like 'repository:owner/repo:ref:refs/heads/main'.
-
90% success Use a GitHub App or personal access token instead of OIDC for authentication. In the workflow, use 'actions/checkout@v4' with a token: 'uses: actions/checkout@v4 with: token: ${{ secrets.MY_TOKEN }}'
Use a GitHub App or personal access token instead of OIDC for authentication. In the workflow, use 'actions/checkout@v4' with a token: 'uses: actions/checkout@v4 with: token: ${{ secrets.MY_TOKEN }}' -
75% success Modify the workflow to run on a branch that is explicitly allowed in the OIDC trust policy. For example, if only 'main' is allowed, merge the feature branch into main before triggering the deployment workflow.
Modify the workflow to run on a branch that is explicitly allowed in the OIDC trust policy. For example, if only 'main' is allowed, merge the feature branch into main before triggering the deployment workflow.
中文步骤
Update the OIDC trust policy in the GitHub organization settings to allow the specific repository and branch. Navigate to Settings > Organization > Security > OIDC Trust Policies and add a condition like 'repository:owner/repo:ref:refs/heads/main'.
Use a GitHub App or personal access token instead of OIDC for authentication. In the workflow, use 'actions/checkout@v4' with a token: 'uses: actions/checkout@v4 with: token: ${{ secrets.MY_TOKEN }}'Modify the workflow to run on a branch that is explicitly allowed in the OIDC trust policy. For example, if only 'main' is allowed, merge the feature branch into main before triggering the deployment workflow.
Dead Ends
Common approaches that don't work:
-
Re-run the workflow with the same configuration, hoping it's a transient error.
100% fail
The OIDC token request is denied due to policy configuration, not transient issues. Retrying will fail identically.
-
Add a new OIDC provider in the cloud provider (e.g., AWS) without updating GitHub settings.
95% fail
The error originates from GitHub's side denying the token request, not the cloud provider. The cloud provider configuration is irrelevant if GitHub refuses to issue the token.
-
Remove the 'id-token: write' permission from the workflow.
90% fail
The 'id-token: write' permission is required to request an OIDC token. Removing it will cause a different error about missing permissions.