diff --git a/src/main/java/bio/terra/app/configuration/ResourceBufferServiceConfiguration.java b/src/main/java/bio/terra/app/configuration/ResourceBufferServiceConfiguration.java
index 6b5983e2aa..7f1f1cfcc0 100644
--- a/src/main/java/bio/terra/app/configuration/ResourceBufferServiceConfiguration.java
+++ b/src/main/java/bio/terra/app/configuration/ResourceBufferServiceConfiguration.java
@@ -1,6 +1,7 @@
 package bio.terra.app.configuration;
 
 import com.google.auth.oauth2.AccessToken;
+import com.google.auth.oauth2.ExternalAccountCredentials;
 import com.google.auth.oauth2.GoogleCredentials;
 import java.io.FileInputStream;
 import java.io.IOException;
@@ -20,7 +21,7 @@ public record ResourceBufferServiceConfiguration(
   public String getAccessToken() throws IOException {
     try (FileInputStream fileInputStream = new FileInputStream(clientCredentialFilePath)) {
       GoogleCredentials credentials =
-          GoogleCredentials.fromStream(fileInputStream).createScoped(BUFFER_SCOPES);
+          ExternalAccountCredentials.fromStream(fileInputStream).createScoped(BUFFER_SCOPES);
       AccessToken token = credentials.refreshAccessToken();
       return token.getTokenValue();
     }
diff --git a/src/main/java/bio/terra/service/profile/google/GoogleBillingService.java b/src/main/java/bio/terra/service/profile/google/GoogleBillingService.java
index 07c7dcdadb..09a9cc745a 100644
--- a/src/main/java/bio/terra/service/profile/google/GoogleBillingService.java
+++ b/src/main/java/bio/terra/service/profile/google/GoogleBillingService.java
@@ -8,6 +8,7 @@
 import com.google.api.gax.rpc.ApiException;
 import com.google.api.resourcenames.ResourceName;
 import com.google.auth.oauth2.AccessToken;
+import com.google.auth.oauth2.ExternalAccountCredentials;
 import com.google.auth.oauth2.GoogleCredentials;
 import com.google.cloud.billing.v1.BillingAccountName;
 import com.google.cloud.billing.v1.CloudBillingClient;
@@ -42,7 +43,8 @@ private static CloudBillingClient accessClient(AuthenticatedUserRequest user) {
       if (user == null || user.getToken().isEmpty()) {
         // Authentication is provided by the 'gcloud' tool when running locally
         // and by built-in service accounts when running on GAE, GCE, or GKE.
-        GoogleCredentials serviceAccountCredentials = GoogleCredentials.getApplicationDefault();
+        GoogleCredentials serviceAccountCredentials =
+            ExternalAccountCredentials.getApplicationDefault();
 
         // The createScopedRequired method returns true when running on GAE or a local developer
         // machine. In that case, the desired scopes must be passed in manually. When the code is