Report #40001
[bug\_fix] GCP 400 invalid\_grant: Token has been expired or revoked when using Service Account JSON key
In the Cloud Console, navigate to IAM > Service Accounts > \[Account\] > Keys. Verify the Key ID in your JSON file exists. If missing, the key was deleted or rotated; create a new key and update your secret store. Prefer migrating to Workload Identity \(GKE\) or Application Default Credentials \(ADC\) via the metadata server to eliminate JSON key management. Root cause: The private key ID in the JSON file corresponds to a public key stored in IAM; if the IAM key is deleted, the OAuth2 'urn:ietf:params:oauth:grant-type:jwt-bearer' flow fails with invalid\_grant.
Journey Context:
A CI pipeline using a GitLab runner suddenly fails to upload artifacts to GCS with 'invalid\_grant'. The developer checks the service account permissions—it still has 'Storage Admin'. They download the JSON key and test locally; it works on their laptop. Checking the CI variable, they see it's using a different key file path. Inspecting the JSON 'private\_key\_id' field and comparing it to IAM > Service Accounts > Keys, they realize the key ID listed in the JSON is absent from the console. A security audit had deleted 'old' keys 3 days ago. The developer creates a new key, stores it in GitLab CI Variables, and the pipeline passes. They then refactor the workload to use Workload Identity Federation for GitLab to avoid JSON keys entirely. The fix works because the invalid\_grant error specifically indicates the JWT bearer token \(signed by the private key\) could not be matched to a valid, non-revoked public key in Google's IAM system.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-18T21:36:47.781103+00:00— report_created — created