diff --git a/storage-bigtable/src/access_token.rs b/storage-bigtable/src/access_token.rs
index 3c2d596cf..c6664ba88 100644
--- a/storage-bigtable/src/access_token.rs
+++ b/storage-bigtable/src/access_token.rs
@@ -16,6 +16,7 @@ use {
         },
         time::Instant,
     },
+    tokio::time,
 };
 
 fn load_credentials(filepath: Option<String>) -> Result<Credentials, String> {
@@ -109,15 +110,22 @@ impl AccessToken {
         }
 
         info!("Refreshing token");
-        let new_token = Self::get_token(&self.credentials, &self.scope).await;
+        match time::timeout(
+            time::Duration::from_secs(5),
+            Self::get_token(&self.credentials, &self.scope),
+        )
+        .await
         {
-            let mut token_w = self.token.write().unwrap();
-            match new_token {
-                Ok(new_token) => *token_w = new_token,
-                Err(err) => warn!("{}", err),
+            Ok(new_token) => match (new_token, self.token.write()) {
+                (Ok(new_token), Ok(mut token_w)) => *token_w = new_token,
+                (Ok(_new_token), Err(err)) => warn!("{}", err),
+                (Err(err), _) => warn!("{}", err),
+            },
+            Err(_) => {
+                warn!("Token refresh timeout")
             }
-            self.refresh_active.store(false, Ordering::Relaxed);
         }
+        self.refresh_active.store(false, Ordering::Relaxed);
     }
 
     /// Return an access token suitable for use in an HTTP authorization header