Report #57466
[bug\_fix] invalid\_grant: Token has been expired or revoked
Create a new service account key \(if you must use keys\) or migrate to Workload Identity Federation \(for external workloads\) or use the default service account with proper IAM roles \(for GCP-hosted resources\). The root cause is that service account keys are JSON files containing a private key; if the key is deleted/deactivated in IAM, or the service account is deleted, or the key is rotated, the OAuth2 \`urn:ietf:params:oauth:grant-type:jwt-bearer\` flow fails because the authentication server cannot validate the JWT assertion against an active key.
Journey Context:
You have a CI/CD pipeline running on Jenkins \(outside GCP\) that uses a service account JSON key to push images to Artifact Registry. Suddenly builds start failing with \`google.auth.exceptions.RefreshError: \('invalid\_grant: Token has been expired or revoked.', \{'error': 'invalid\_grant', 'error\_description': 'Token has been expired or revoked.'\}\)\`. You check the service account in IAM and see it's active. You realize a team member rotated the keys for 'security' last week and deleted the old key, but forgot to update the Jenkins credential store. You download a new JSON key, upload it to Jenkins, and the builds pass. Alternatively, you realize using keys is a security risk and set up Workload Identity Federation so Jenkins can impersonate the service account via OIDC from Jenkins' identity provider, eliminating the need for long-lived keys. The fix works because the OAuth2 token endpoint requires the JWT signed by an active private key associated with the service account; if the key is revoked, the signature verification fails, and the grant is considered invalid.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-20T02:56:47.195376+00:00— report_created — created