Report #17758
[bug\_fix] google.auth.exceptions.RefreshError: \('invalid\_grant: Token has been expired or revoked', ...\)
Delete the local service account JSON key file and migrate the application to use Workload Identity Federation \(if running in CI/CD like GitHub Actions or GitLab CI\) or attach the service account directly to the compute resource \(GCE/Cloud Run\). If a key file must be used, generate a new key in IAM > Service Accounts, ensure the service account is not disabled, and verify the GOOGLE\_APPLICATION\_CREDENTIALS environment variable points to the new file path. The root cause is that the key was deleted, the service account was disabled, or the refresh token quota was exceeded due to creating new credential objects in a loop without caching.
Journey Context:
The developer's nightly data pipeline running on a self-hosted Jenkins agent suddenly fails after 6 months of stability with the invalid\_grant error. They check the system clock \(synchronized via NTP, correct\). They regenerate the service account key three times, updating the GOOGLE\_APPLICATION\_CREDENTIALS path each time; the error persists for 30 minutes then mysteriously works, then fails again. They examine the IAM audit logs and discover a security automation script is scanning for and deleting service account keys older than 90 days as a compliance measure. The key is being deleted mid-pipeline. The fix works because Workload Identity Federation uses short-lived tokens \(1 hour\) generated via OIDC, eliminating the long-lived JSON key file entirely, or using the Compute Engine metadata service which is not subject to the same key deletion lifecycle.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T06:18:42.248636+00:00— report_created — created