diff --git a/src/main/java/bio/terra/service/auth/oauth2/GoogleCredentialsService.java b/src/main/java/bio/terra/service/auth/oauth2/GoogleCredentialsService.java
index 50b6e50bc0..3204379d09 100644
--- a/src/main/java/bio/terra/service/auth/oauth2/GoogleCredentialsService.java
+++ b/src/main/java/bio/terra/service/auth/oauth2/GoogleCredentialsService.java
@@ -25,7 +25,9 @@ public GoogleCredentials getApplicationDefault() {
    */
   public String getAccessToken(GoogleCredentials credentials, List<String> scopes) {
     try {
-      credentials = credentials.createScoped(scopes);
+      if (credentials.createScopedRequired()) {
+        credentials = credentials.createScoped(scopes);
+      }
       return credentials.refreshAccessToken().getTokenValue();
     } catch (IOException e) {
       throw new GoogleResourceException("Could not generate Google access token", e);
diff --git a/src/main/java/bio/terra/service/profile/google/GoogleBillingService.java b/src/main/java/bio/terra/service/profile/google/GoogleBillingService.java
index 73cbcfc990..48fb179677 100644
--- a/src/main/java/bio/terra/service/profile/google/GoogleBillingService.java
+++ b/src/main/java/bio/terra/service/profile/google/GoogleBillingService.java
@@ -152,9 +152,7 @@ public boolean canAccess(AuthenticatedUserRequest user, String billingAccountId)
         return false;
       }
       String message =
-          String.format(
-              "Could not check permissions on billing account '%s' for user '%s'",
-              billingAccountId, user.getEmail());
+          String.format("Could not check permissions on billing account '%s'", billingAccountId);
       throw new BillingServiceException(message, e);
     }
   }
diff --git a/src/test/java/bio/terra/common/auth/AuthService.java b/src/test/java/bio/terra/common/auth/AuthService.java
index e14ff14036..90097e998c 100644
--- a/src/test/java/bio/terra/common/auth/AuthService.java
+++ b/src/test/java/bio/terra/common/auth/AuthService.java
@@ -30,7 +30,7 @@ public class AuthService {
   private static Logger logger = LoggerFactory.getLogger(AuthService.class);
   private static ExpirationPolicy<String, GoogleCredentials> TOKEN_CACHE_EXPIRATION_POLICY =
       // Make sure this value never returns a negative since that means the entry never expires
-      (key, value) -> Math.max(0, TimeUnit.MINUTES.toMillis(5));
+      (key, value) -> Math.max(0, 5 - TimeUnit.MINUTES.toMillis(5));
 
   // the list of scopes we request from end users when they log in.
   // this should always match exactly what the UI requests, so our tests represent actual user