diff --git a/google/internal/externalaccount/filecredsource.go b/google/internal/externalaccount/filecredsource.go
index a7b5439..9d895a0 100644
--- a/google/internal/externalaccount/filecredsource.go
+++ b/google/internal/externalaccount/filecredsource.go
@@ -9,6 +9,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
 	"io/ioutil"
 	"os"
 )
@@ -24,7 +25,7 @@ func (cs fileCredentialSource) subjectToken() (string, error) {
 		return "", fmt.Errorf("oauth2/google: failed to open credential file %q", cs.File)
 	}
 	defer tokenFile.Close()
-	tokenBytes, err := ioutil.ReadAll(tokenFile)
+	tokenBytes, err := ioutil.ReadAll(io.LimitReader(tokenFile, 1<<20))
 	if err != nil {
 		return "", fmt.Errorf("oauth2/google: failed to read credential file: %v", err)
 	}
diff --git a/google/internal/externalaccount/filecredsource_test.go b/google/internal/externalaccount/filecredsource_test.go
index b6e36ba..0ed5ac1 100644
--- a/google/internal/externalaccount/filecredsource_test.go
+++ b/google/internal/externalaccount/filecredsource_test.go
@@ -55,7 +55,7 @@ func TestRetrieveFileSubjectToken(t *testing.T) {
 
 		out, err := tfc.parse().subjectToken()
 		if err != nil {
-			t.Errorf("Method retrieveSubjectToken for type fileCredentialSource in test %v failed; %e", test.name, err)
+			t.Fatalf("Method retrieveSubjectToken for type fileCredentialSource in test %v failed; %e", test.name, err)
 		}
 		if out != test.want {
 			t.Errorf("Test %v for method retrieveSubjectToken for type fileCredentialSouce failed: expected %v but got %v", test.name, test.want, out)