Report #16894
[bug\_fix] google.auth.exceptions.RefreshError: \('invalid\_grant: Token has been expired or revoked.', ...\)
Re-run \`gcloud auth application-default login\` locally to generate a new refresh token, or migrate the application to use a service account key file \(GOOGLE\_APPLICATION\_CREDENTIALS\) or Workload Identity Federation instead of user credentials. Root cause: Application Default Credentials \(ADC\) on a local workstation uses OAuth 2.0 refresh tokens obtained via browser login \(gcloud auth application-default login\). These refresh tokens expire after 7 days of inactivity \(or if the user revokes app access via Google Account security settings\), causing the google-auth-library to fail when attempting to refresh the access token.
Journey Context:
A data scientist is running a Jupyter notebook locally that uses the BigQuery Python client library. The notebook queries a production dataset. It worked perfectly last Friday. On Monday morning, running the same cell throws a RefreshError with 'invalid\_grant'. The scientist checks their internet connection, tries restarting the kernel, reinstalls google-cloud-bigquery, nothing helps. They check the gcloud config, their account is still listed. They search the error and find StackOverflow threads mentioning expired refresh tokens. They realize that 'gcloud auth login' is for the CLI, but the notebook uses Application Default Credentials, which are separate. They run 'gcloud auth application-default login', complete the browser flow, and the notebook works. They realize user credentials are flaky for automation and switch to downloading a service account JSON key, setting GOOGLE\_APPLICATION\_CREDENTIALS, eliminating the weekly login requirement.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T03:53:47.146572+00:00— report_created — created