Introduction

GitHub Actions supports OIDC (OpenID Connect) authentication to cloud providers without storing long-lived credentials. The OIDC token includes an aud (audience) claim that must match what the cloud provider expects. When the audience is misconfigured -- using the wrong STS endpoint URL or an incorrect audience value -- the cloud provider rejects the token, blocking authentication.

Symptoms

  • aws-actions/configure-aws-credentials step fails with OIDC error
  • Cloud provider returns InvalidIdentityToken or audience mismatch
  • Workflow works for one repository but fails for another
  • Error message: An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Incorrect token audience
  • Error message: Error: Failed to assume role: InvalidIdentityToken: Token audience mismatch

Common Causes

  • Wrong audience parameter in the cloud provider action configuration
  • AWS STS endpoint configured for a different region than the OIDC provider
  • Cloud provider OIDC identity pool configured with a different audience than GitHub sends
  • Using a custom OIDC provider with non-standard audience requirements
  • GitHub Actions running on GitHub Enterprise Server with different OIDC configuration

Step-by-Step Fix

  1. 1.Check the OIDC token audience being sent: Inspect the token claims.
  2. 2.```yaml
  3. 3.- name: Debug OIDC token
  4. 4.run: |
  5. 5.echo "ID_TOKEN: $ACTIONS_ID_TOKEN_REQUEST_TOKEN"
  6. 6.curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
  7. 7."$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sts.amazonaws.com" | jq -r '.value' | cut -d. -f2 | base64 -d | jq '.aud'
  8. 8.`
  9. 9.Set the correct audience in the cloud provider action: Match the expected audience.
  10. 10.```yaml
  11. 11.- name: Configure AWS Credentials
  12. 12.uses: aws-actions/configure-aws-credentials@v4
  13. 13.with:
  14. 14.role-to-assume: arn:aws:iam::123456789012:role/github-actions-role
  15. 15.aws-region: us-east-1
  16. 16.# The audience must match the OIDC provider configuration in AWS
  17. 17.`
  18. 18.Verify the AWS IAM OIDC provider audience: Check the trust policy.
  19. 19.```json
  20. 20.{
  21. 21."Version": "2012-10-17",
  22. 22."Statement": [
  23. 23.{
  24. 24."Effect": "Allow",
  25. 25."Principal": {
  26. 26."Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
  27. 27.},
  28. 28."Action": "sts:AssumeRoleWithWebIdentity",
  29. 29."Condition": {
  30. 30."StringEquals": {
  31. 31."token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
  32. 32.}
  33. 33.}
  34. 34.}
  35. 35.]
  36. 36.}
  37. 37.`
  38. 38.Create the OIDC provider with the correct audience if missing: Set up the identity provider.
  39. 39.```bash
  40. 40.aws iam create-open-id-connect-provider \
  41. 41.--url https://token.actions.githubusercontent.com \
  42. 42.--client-id-list sts.amazonaws.com \
  43. 43.--thumbprint-list 6938fd4d98bab03faadb97b34396831e3780aea1
  44. 44.`
  45. 45.Test the OIDC authentication end-to-end: Verify the fix works.
  46. 46.```yaml
  47. 47.- name: Test AWS access
  48. 48.run: |
  49. 49.aws sts get-caller-identity
  50. 50.# Should show the assumed role ARN
  51. 51.`

Prevention

  • Document the correct OIDC audience for each cloud provider in the deployment runbook
  • Use official cloud provider GitHub Actions which handle audience configuration correctly
  • Test OIDC authentication after any IAM identity provider configuration changes
  • Monitor OIDC authentication failure rates and alert on audience mismatch errors
  • Use the same OIDC configuration across all repositories for consistency
  • Include OIDC token validation in the workflow's pre-deployment checks