Report #81887
[bug\_fix] invalid\_grant: Invalid JWT: Token must be a short-lived token
Generate a new service account key JSON from the GCP Console \(IAM > Service Accounts > Keys\) and replace the old key file, or migrate to Workload Identity Federation to avoid long-lived keys.
Journey Context:
An on-premise Jenkins server runs a deployment pipeline that uploads build artifacts to Google Cloud Storage. The pipeline uses a service account key JSON file stored as a Jenkins credential. Suddenly, all builds fail with 'google.auth.exceptions.RefreshError: \('invalid\_grant: Invalid JWT Signature', \{...\}\)' or 'invalid\_grant: Not a valid email or User ID'. The engineer checks the service account in GCP IAM—it exists and has 'Storage Object Admin'. They check the Jenkins credential—the JSON looks valid. They try to use the key locally with 'gcloud auth activate-service-account --key-file=old-key.json' and it fails with the same invalid\_grant error. Investigating the IAM audit logs, they discover the key was deleted two days ago during a routine security cleanup of old keys. The service account key ID referenced in the JSON file no longer exists in the service account's key list. Generating a new key in the GCP Console \(IAM > Service Accounts > Keys > Add Key > Create New Key\), downloading the JSON, and updating the Jenkins credential resolves the issue. The fix works because service account keys are long-lived credentials consisting of a private key signed by Google. When the key is deleted in the console, the corresponding public key is removed from Google's identity database, causing any JWT signed by the deleted private key to fail validation with 'invalid\_grant'.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-21T20:02:20.594009+00:00— report_created — created