diff --git a/authority/provisioner/aws.go b/authority/provisioner/aws.go
index 0692a638..612a2498 100644
--- a/authority/provisioner/aws.go
+++ b/authority/provisioner/aws.go
@@ -200,6 +200,9 @@ func (p *AWS) GetIdentityToken() (string, error) {
 		jose.SigningKey{Algorithm: jose.HS256, Key: signature},
 		new(jose.SignerOptions).WithType("JWT"),
 	)
+	if err != nil {
+		return "", errors.Wrap(err, "error creating signer")
+	}
 
 	now := time.Now()
 	payload := awsPayload{
diff --git a/authority/provisioner/gcp_test.go b/authority/provisioner/gcp_test.go
index 98b45907..4e63c2b1 100644
--- a/authority/provisioner/gcp_test.go
+++ b/authority/provisioner/gcp_test.go
@@ -226,6 +226,7 @@ func TestGCP_AuthorizeSign(t *testing.T) {
 		"https://foo.bar.zar", p1.GetID(),
 		"instance-id", "instance-name", "project-id", "zone",
 		time.Now(), &p1.keyStore.keySet.Keys[0])
+	assert.FatalError(t, err)
 	failAud, err := generateGCPToken(p1.ServiceAccounts[0],
 		"https://accounts.google.com", "gcp:foo",
 		"instance-id", "instance-name", "project-id", "zone",