Report #102001
[bug\_fix] Google Cloud service-account authentication fails with \`google.auth.exceptions.RefreshError: \('invalid\_grant: Invalid JWT: Token must be a short-lived token and in a reasonable timeframe', ...\)\` during token refresh.
Synchronize the system clock with NTP \(e.g., \`sudo chronyc makestep\` or \`sudo systemctl restart systemd-timesyncd\`\), verify the service account is enabled in IAM, and confirm the \`client\_email\` in the JSON key matches the account that holds the requested IAM roles.
Journey Context:
A long-running VM or a CI runner starts throwing \`invalid\_grant\` every time it initializes the Google Cloud SDK. You grab the service-account JSON key, decode it, and the \`client\_email\` and \`private\_key\_id\` look intact. You try creating a brand-new key and the error stays exactly the same, ruling out a corrupted key. Then you notice the VM's clock is five minutes behind UTC. Google's OAuth token endpoint rejects JWT assertions whose \`iat\` and \`exp\` claims are too far from server time, because it treats them as replay or pre-issued tokens. After forcing an NTP sync the code authenticates immediately. In other cases the same error can mean the service account was disabled or deleted, or the \`client\_email\` in the key does not match the project; those are checked in the IAM console before regenerating keys.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-08T04:48:28.932769+00:00— report_created — created