diff --git a/google/internal/externalaccount/basecredentials.go b/google/internal/externalaccount/basecredentials.go
index 07efa33..deb9deb 100644
--- a/google/internal/externalaccount/basecredentials.go
+++ b/google/internal/externalaccount/basecredentials.go
@@ -38,11 +38,12 @@ func (c *Config) TokenSource(ctx context.Context) oauth2.TokenSource {
 	if c.ServiceAccountImpersonationURL == "" {
 		return oauth2.ReuseTokenSource(nil, ts)
 	}
+	scopes := c.Scopes
 	ts.conf.Scopes = []string{"https://www.googleapis.com/auth/cloud-platform"}
 	imp := impersonateTokenSource{
 		ctx:    ctx,
 		url:    c.ServiceAccountImpersonationURL,
-		scopes: c.Scopes,
+		scopes: scopes,
 		ts: oauth2.ReuseTokenSource(nil, ts),
 	}
 	return oauth2.ReuseTokenSource(nil, imp)
diff --git a/google/internal/externalaccount/impersonate.go b/google/internal/externalaccount/impersonate.go
index d8697f9..430e6e3 100644
--- a/google/internal/externalaccount/impersonate.go
+++ b/google/internal/externalaccount/impersonate.go
@@ -43,11 +43,10 @@ func (its impersonateTokenSource) Token() (*oauth2.Token, error) {
 		Scope:    its.scopes,
 	}
 	b, err := json.Marshal(reqBody)
-
-	client := oauth2.NewClient(its.ctx, its.ts)
 	if err != nil {
 		return nil, fmt.Errorf("oauth2/google: unable to marshal request: %v", err)
 	}
+	client := oauth2.NewClient(its.ctx, its.ts)
 	req, err := http.NewRequest("POST", its.url, bytes.NewReader(b))
 	if err != nil {
 		return nil, fmt.Errorf("oauth2/google: unable to create impersonation request: %v", err)