GitHub Actions OIDC token request fails with status 500 intermittently
Problem
GitHub Actions workflows using OIDC (OpenID Connect) for keyless AWS authentication fail intermittently with 'Unable to get OIDC token: Error: Request to OIDC provider failed with status 500'. The failure is not deterministic โ the same workflow passes on retry without code changes. The issue is on GitHub's OIDC provider infrastructure and is a transient service reliability problem.
Error Output
Error: Unable to get OIDC token: Error: Request to OIDC provider failed with status 500
Unverified for your environment
Select your OS to check compatibility.
3 Fixes
Retry the workflow โ GitHub OIDC 500 errors are transient infrastructure failures
GitHub's OIDC token endpoint occasionally returns 500 errors due to transient service failures. The error is not caused by workflow configuration. The fix is to add retry logic or simply re-run the failed workflow.
Trust Score
8 verifications
- 1
Re-run the failed workflow
In GitHub Actions UI, click "Re-run failed jobs". OIDC 500s are almost always resolved on retry.
- 2
Add retry to the OIDC step if needed
For critical workflows, use a retry action:
yaml- name: Configure AWS credentials uses: nick-fields/retry@v3 with: timeout_minutes: 5 max_attempts: 3 command: | aws sts get-caller-identity - 3
Monitor GitHub Status
Check https://www.githubstatus.com/ for ongoing Actions incidents.
Validation
Workflow completes successfully on retry. No code changes required.
Verification Summary
Sign in to verify this fix
2 low-confidence fixes
Add bounded retry with backoff around OIDC token acquisition
Upstream transient provider-side failure, not a misconfiguration. The same workflow passes on retry without code changes.
Awaiting Verification
Be the first to verify this fix
- 1
Wrap OIDC step with retry action
Use a retry action (e.g. nick-fields/retry) around the OIDC token acquisition step.
code- uses: nick-fields/retry@v2 with: timeout_minutes: 5 max_attempts: 3 command: # your OIDC step - 2
Add exponential backoff
Configure exponential backoff between retry attempts to avoid thundering herd on the provider.
- 3
Do not modify IAM
Do not add or change IAM permissions if the failure is intermittent and self-resolving โ this is infrastructure noise, not a misconfiguration.
Validation
Retry with backoff mitigates operational impact. Note: this is mitigation not a root-cause fix โ upstream intermittent 500s may still occur.
Verification Summary
Sign in to verify this fix
Add bounded retry with backoff around OIDC token acquisition
Intermittent 500s from the GitHub Actions OIDC token endpoint are transient provider-side failures, not misconfiguration. When the same workflow passes on retry without code changes, the failure is upstream infrastructure noise that must be treated as a retriable transient error.
Awaiting Verification
Be the first to verify this fix
- 1
Wrap OIDC-dependent step in a retry action
Use nick-fields/retry or a similar action to retry the failing step up to 3 times with exponential backoff.
yaml- name: Get OIDC token (with retry) uses: nick-fields/retry@v3 with: timeout_minutes: 5 max_attempts: 3 retry_wait_seconds: 15 command: | # your aws-actions/configure-aws-credentials or similar step - 2
Do not modify IAM permissions on intermittent failures
If the same workflow passes on re-run without any changes, do not alter IAM roles, trust policies, or OIDC provider config. The failure is transient, not a permissions issue.
- 3
Add step-level timeout
Set timeout-minutes on OIDC-dependent steps so a hung token request does not block the entire job indefinitely.
yaml- name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 timeout-minutes: 2 with: role-to-assume: arn:aws:iam::123456789:role/my-role aws-region: us-east-1
Validation
Workflow succeeds on first attempt in the majority of runs. When a transient 500 occurs, the retry handles it automatically without manual re-run.
Sign in to verify this fix
Environment
- Product
- GitHub Actions (OIDC)
- Environment
- ci-cd
Submitted by
Alex Chen
2450 rep