JWT (JSON Web Tokens) Errors | Invalid JWT Signature
Errors are the best especially when they are written in a way where you become a decipherer. I remember the good old days when all the error codes I got were only numbers and maybe letters mixed in and there wasn’t any online searching to easly get interpretations.
I’ve been working with Google Cloud products and connecting to services from my laptop like Storage and BigQuery. Over the last several months, I’ve hit up against a JWT error, invalid_grant:Invalid JWT Signature, a couple times, and below provides an overview of how I resolved it, which was basically updating the expired service account key.
JWT Errors
“The mechanics of server-to-server authentication interactions require applications to create and cryptographically sign JSON Web Tokens (JWTs).” JWTs are signed tokens to authenticate your server to server connections.
This page on Using OAuth 2.0 for Server to Server Applications has a section in the middle called JWT error codes which gives more details about the different errors you may see and how to resolve them. Its a good place to start for more information.
Invalid JWT Signature: invalid_grant
For my error, invalid_grant:Invalid JWT Signature, the way to resolve wasn’t included in the list under JWT error codes. Basically, the Service Account key expired, and I needed to generate a new one.
I did find someone in a StackOverflow thread who helped me hone in on this with this comment: The JWT assertion is signed with a private key not associated with the service account identified by the client email.
I thought for a moment the email under my local gcloud config might be the problem, but it ended up being the expired key. Thus, the key was not associated with the service account anymore.
How to Fix | Adding New Service Account Key
In order to fix this, go to the APIs & Services on the Google Cloud Console.
Look under Service Accounts, for the email account you are using for your project.
If you don’t remember what that email address is then you can look it up with the command.
gcloud config listOn Google Cloud Console, choose the edit symbol next to that email account you are using.
Choose the Keys section.
Check if your service account key is Active or Expired.
If you don’t know what the service account key is that you are using, look at the file you are using on your computer which is probably under ~/.oauth, especially if you are on a Mac. If not then look at the file path associated with GOOGLE_APPLICATION_CREDENTIALS environment variable to find the service account key file.
Part of the key number may be in the file name; otherwise, it will be inside the service account key file.
If a key has Expired then choose Add Key which will add one that is Active and download a json service account key file to your computer.
Move that json key file to where you reference your files. Some gcloud server connections automatically look under ~/.oauth, but you can change that location with the GOOGLE_APPLICATION_CREDENTIALS environment variable.
If you have GOOGLE_APPLICATION_CREDENTIALS environment variable defined in your ~/.bashrc or ~/.bash_profile file then make sure to update the location there.
Wrap up
This post reviews JWT errors and specifically how to resolve the invalid_grant:Invalid JWT Signature error. For Invalid JWT Signature, check if your service account key has expired. Go to your APIs & Services to add a new key if it has.
