I can check with the IAM team as to how this affects signed URLs with a long expiry time. At least on Compute Engine, you can workaround this by associating a custom service account with the instances.

Doesn’t really affect custom tokens since they have a 1 hour TTL.