403 policy auth_error ai_generated true

错误:请求 OIDC 令牌失败:403 禁止。工作流不允许为此组织请求 OIDC 令牌。

Error: Failed to request OIDC token: 403 Forbidden. The workflow is not allowed to request an OIDC token for this organization.

ID: policy/github-actions-oidc-token-permission-denied

其他格式: JSON · Markdown 中文 · English
78%修复率
87%置信度
1证据数
2024-01-20首次发现

版本兼容性

版本状态引入弃用备注
GitHub Actions 2024-01 active
GitHub Enterprise Server 3.12 active

根因分析

GitHub Actions OIDC 令牌请求被拒绝,因为组织的 OIDC 信任策略不允许特定工作流或分支。

English

GitHub Actions OIDC token request denied because the organization's OIDC trust policy does not allow the specific workflow or branch.

generic

官方文档

https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers

解决方案

  1. Update the OIDC trust policy in the GitHub organization settings to allow the specific repository and branch. Navigate to Settings > Organization > Security > OIDC Trust Policies and add a condition like 'repository:owner/repo:ref:refs/heads/main'.
  2. Use a GitHub App or personal access token instead of OIDC for authentication. In the workflow, use 'actions/checkout@v4' with a token: 'uses: actions/checkout@v4 with: token: ${{ secrets.MY_TOKEN }}'
  3. Modify the workflow to run on a branch that is explicitly allowed in the OIDC trust policy. For example, if only 'main' is allowed, merge the feature branch into main before triggering the deployment workflow.

无效尝试

常见但无效的做法:

  1. Re-run the workflow with the same configuration, hoping it's a transient error. 100% 失败

    The OIDC token request is denied due to policy configuration, not transient issues. Retrying will fail identically.

  2. Add a new OIDC provider in the cloud provider (e.g., AWS) without updating GitHub settings. 95% 失败

    The error originates from GitHub's side denying the token request, not the cloud provider. The cloud provider configuration is irrelevant if GitHub refuses to issue the token.

  3. Remove the 'id-token: write' permission from the workflow. 90% 失败

    The 'id-token: write' permission is required to request an OIDC token. Removing it will cause a different error about missing permissions.