Early access Faultline Teams — organizational memory for recurring CI failures across repos

OIDC token request failed or token invalid

An OIDC token request failed or the issued token was rejected by the cloud provider.

oidc-token-failure high confidence auth awsazuregcpgithub-actions

Matched signals

  • OIDC token
  • Unable to get OIDC token
  • invalid_token
  • JWT validation
  • Invalid JWT
  • JWT verification failed
  • JWT expired
  • JWT signature

OIDC token request failed or token invalid

What this failure means

An OIDC token request failed or the issued token was rejected by the cloud provider. Federated authentication to AWS, GCP, or Azure cannot proceed.

Symptoms

Faultline looks for one or more of these log fragments:

OIDC token
Unable to get OIDC token
invalid_token
JWT validation
Invalid JWT
JWT verification failed
JWT expired
JWT signature

Diagnosis

An OIDC token request failed or the issued token was rejected by the cloud provider. Federated authentication to AWS, GCP, or Azure cannot proceed.

Fix steps

  1. In GitHub Actions, ensure the job has permissions: id-token: write.
  2. Decode the OIDC token and inspect iss, sub, aud, and repository claims to confirm they match the cloud-side trust policy.
  3. For AWS, verify the IAM role trust policy StringLike condition matches the actual sub claim.
  4. For GCP, check the Workload Identity Pool provider attribute mapping and condition logic.
  5. For Azure, confirm the federated credential issuer, subject, and audience are correct.
  6. For token audience mismatch errors, set the expected audience explicitly in the workflow step or provider configuration.

Validation

  • Re-run the failing workflow step with debug logging enabled.
  • Confirm ACTIONS_ID_TOKEN_REQUEST_URL is present when the workflow expects GitHub-issued OIDC.

Why it matters

OIDC-based workload identity fails when the trust relationship between the CI provider and the cloud is misconfigured, the token audience does not match the expected audience, or the workflow does not request the token correctly.

Prevention

  • Document OIDC trust configuration alongside the workflow files.
  • Use least-privilege IAM conditions that are specific about the repository and branch.
  • Test OIDC auth in a separate validation job before using the credentials in deploy jobs.

Try it locally

printenv ACTIONS_ID_TOKEN_REQUEST_URL
printenv ACTIONS_ID_TOKEN_REQUEST_URL

How Faultline detects it

Use faultline explain oidc-token-failure to see the full playbook.

faultline analyze build.log
faultline explain oidc-token-failure

Generated from playbooks/bundled/log/auth/oidc-token-failure.yaml. Do not edit directly.

Try it on your own failed log

$ faultline analyze failed.log
Install Faultline CLI View on GitHub
Want this across every CI run? Faultline Teams tracks recurring failures across all your repos and surfaces patterns in a shared dashboard.