diff --git a/shared/grpc_clients/src/lib.rs b/shared/grpc_clients/src/lib.rs
index 33f4ed156..1cad389b9 100644
--- a/shared/grpc_clients/src/lib.rs
+++ b/shared/grpc_clients/src/lib.rs
@@ -1,45 +1,48 @@
 pub mod error;
 pub mod identity;
 pub mod tunnelbroker;
 
 // Re-export some dependencies which may need to be used by downstream crates
 pub use tonic;
 
 use error::Error;
 use std::path::Path;
+use std::time::Duration;
 use tonic::transport::{Certificate, Channel, ClientTlsConfig};
 use tracing::info;
 
 const CERT_PATHS: &[&str] = &[
   // MacOS and newer Ubuntu
   "/etc/ssl/cert.pem",
   // Common CA cert paths
   "/etc/ssl/certs/ca-bundle.crt",
   "/etc/ssl/certs/ca-certificates.crt",
 ];
+const CONNECT_TIMEOUT_DURATION: Duration = Duration::from_secs(5);
 
 pub(crate) fn get_ca_cert_contents() -> Option<String> {
   CERT_PATHS
     .iter()
     .map(Path::new)
     .filter(|p| p.exists())
     .filter_map(|f| std::fs::read_to_string(f).ok())
     .next()
 }
 pub(crate) async fn get_grpc_service_channel(
   url: &str,
 ) -> Result<Channel, Error> {
   let ca_cert = crate::get_ca_cert_contents().expect("Unable to get CA bundle");
 
   info!("Connecting to gRPC service at {}", url);
-  let mut channel = Channel::from_shared(url.to_string())?;
+  let mut channel = Channel::from_shared(url.to_string())?
+    .connect_timeout(CONNECT_TIMEOUT_DURATION);
 
   // tls_config will fail if the underlying URI is only http://
   if url.starts_with("https:") {
     channel = channel.tls_config(
       ClientTlsConfig::new().ca_certificate(Certificate::from_pem(&ca_cert)),
     )?
   }
 
   Ok(channel.connect().await?)
 }