Report #101494
[bug\_fix] google.auth.exceptions.RefreshError: \('invalid\_grant: Token has been expired or revoked.', ...\)
Open GCP Console > IAM & Admin > Service Accounts, select the account, verify the key still exists and is enabled. If it was deleted, disabled, or the service account was deleted, create a new key, download it, and update \`GOOGLE\_APPLICATION\_CREDENTIALS\`. Prefer Workload Identity Federation or attached service accounts to avoid long-lived keys.
Journey Context:
Your nightly data pipeline has worked for months, then suddenly every request fails with \`invalid\_grant: Token has been expired or revoked\`. The JSON key file on disk looks intact. You check the service account in the console and discover the key was disabled during a security cleanup, or the service account itself was deleted because it was flagged as unused. Google's OAuth token endpoint rejects the JWT signed with a disabled/deleted key. Creating a new key generates a fresh private key ID that the token endpoint accepts. Because old keys are often rotated out without updating all consumers, this is a common post-audit failure.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T04:57:08.362141+00:00— report_created — created