Report #102434
[bug\_fix] GCP client libraries return '401 Invalid Credentials' or 'TOKEN\_EXPIRED' after service account key JSON works locally but fails on CI
Use Workload Identity Federation or attach a service account directly to the compute environment instead of downloading and loading a service-account JSON key. The root cause is that some CI environments rotate or do not securely inject the key file path, or the key's IAM permissions differ from the attached service account; also, \`GOOGLE\_APPLICATION\_CREDENTIALS\` must point to the exact file and the file must be readable at runtime.
Journey Context:
A developer generates a service-account key, sets \`GOOGLE\_APPLICATION\_CREDENTIALS\` locally, and the Cloud Storage client works. They commit the same env var to CI secrets and the pipeline fails with \`401 Invalid Credentials\`. They verify the key is base64-decoded correctly, check \`gcloud auth activate-service-account\` succeeds, and even print the key ID to confirm it loaded. The rabbit-hole ends when they discover CI secret injection added an extra newline to the file path variable, so the Node/Python client could not find the key and fell back to the metadata server, which returned a token for the default compute service account that lacked storage.objectViewer. Moving to Workload Identity Federation removed the key file entirely and made the failure impossible.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-09T04:52:04.545933+00:00— report_created — created