diff --git a/lib/cloud-run-workspace.ts b/lib/cloud-run-workspace.ts
index dcbd98d..ca2359d 100644
--- a/lib/cloud-run-workspace.ts
+++ b/lib/cloud-run-workspace.ts
@@ -21,9 +21,11 @@ const CLOUD_RUN_API = `https://run.googleapis.com/v2/projects/${PROJECT_ID}/loca
 const SCOPES = ['https://www.googleapis.com/auth/cloud-platform'];
 
 async function getAccessToken(): Promise<string> {
-  // Prefer an explicit service account key (avoids GCE metadata scope limitations)
-  const keyJson = process.env.GOOGLE_SERVICE_ACCOUNT_KEY;
-  if (keyJson) {
+  // Prefer an explicit service account key (avoids GCE metadata scope limitations).
+  // Stored as base64 to survive Docker ARG/ENV special-character handling.
+  const keyB64 = process.env.GOOGLE_SERVICE_ACCOUNT_KEY_B64;
+  if (keyB64) {
+    const keyJson = Buffer.from(keyB64, 'base64').toString('utf-8');
     const key = JSON.parse(keyJson) as {
       client_email: string;
       private_key: string;
@@ -35,7 +37,7 @@ async function getAccessToken(): Promise<string> {
     });
     const token = await jwt.getAccessToken();
     if (!token.token) throw new Error('Failed to get GCP access token from service account key');
-    return token.token;
+    return token.token as string;
   }
 
   // Fall back to ADC (works locally or on GCE with cloud-platform scope)