diff --git a/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
index 453356f80..e3892ca18 100644
--- a/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/ComputeEngineCredentials.java
@@ -277,7 +277,13 @@ public static Builder newBuilder() {
     return new Builder();
   }
 
+  /**
+   * Returns the email address associated with the GCE default service account.
+   *
+   * @throws RuntimeException if the default service account cannot be read
+   */
   @Override
+  // todo(#314) getAccount should not throw a RuntimeException
   public String getAccount() {
     if (serviceAccountEmail == null) {
       try {
@@ -304,12 +310,15 @@ public String getAccount() {
    */
   @Override
   public byte[] sign(byte[] toSign) {
-    return IamUtils.sign(
-        getAccount(),
-        this,
-        transportFactory.create(),
-        toSign,
-        Collections.<String, Object>emptyMap());
+    try {
+      String account = getAccount();
+      return IamUtils.sign(
+          account, this, transportFactory.create(), toSign, Collections.<String, Object>emptyMap());
+    } catch (SigningException ex) {
+      throw ex;
+    } catch (RuntimeException ex) {
+      throw new SigningException("Signing failed", ex);
+    }
   }
 
   private String getDefaultServiceAccount() throws IOException {
diff --git a/oauth2_http/java/com/google/auth/oauth2/IamUtils.java b/oauth2_http/java/com/google/auth/oauth2/IamUtils.java
index 596933392..d4675c963 100644
--- a/oauth2_http/java/com/google/auth/oauth2/IamUtils.java
+++ b/oauth2_http/java/com/google/auth/oauth2/IamUtils.java
@@ -66,6 +66,7 @@ class IamUtils {
    * @param toSign bytes to sign
    * @param additionalFields additional fields to send in the IAM call
    * @return signed bytes
+   * @throws ServiceAccountSigner.SigningException if signing fails
    */
   static byte[] sign(
       String serviceAccountEmail,
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
index 0fc7dfaa7..ec5998b4b 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/ComputeEngineCredentialsTest.java
@@ -299,6 +299,26 @@ public void sign_sameAs() throws IOException {
     assertArrayEquals(expectedSignature, credentials.sign(expectedSignature));
   }
 
+  @Test
+  public void sign_getAccountFails() throws IOException {
+    MockMetadataServerTransportFactory transportFactory = new MockMetadataServerTransportFactory();
+    final String accessToken = "1/MkSJoj1xsli0AccessToken_NKPY2";
+    byte[] expectedSignature = {0xD, 0xE, 0xA, 0xD};
+
+    transportFactory.transport.setAccessToken(accessToken);
+    transportFactory.transport.setSignature(expectedSignature);
+    ComputeEngineCredentials credentials =
+        ComputeEngineCredentials.newBuilder().setHttpTransportFactory(transportFactory).build();
+
+    try {
+      credentials.sign(expectedSignature);
+      fail();
+    } catch (SigningException ex) {
+      assertNotNull(ex.getMessage());
+      assertNotNull(ex.getCause());
+    }
+  }
+
   @Test
   public void sign_accessDenied_throws() {
     MockMetadataServerTransportFactory transportFactory = new MockMetadataServerTransportFactory();