diff --git a/plugins/discovery-gce/pom.xml b/plugins/discovery-gce/pom.xml
index b7c1c0a7a61..2baf3dffa08 100644
--- a/plugins/discovery-gce/pom.xml
+++ b/plugins/discovery-gce/pom.xml
@@ -28,7 +28,6 @@ governing permissions and limitations under the License. -->
     <properties>
         <elasticsearch.plugin.classname>org.elasticsearch.plugin.discovery.gce.GceDiscoveryPlugin</elasticsearch.plugin.classname>
         <google.gce.version>v1-rev71-1.20.0</google.gce.version>
-        <!-- currently has no unit tests -->
         <tests.rest.suite>discovery_gce</tests.rest.suite>
         <tests.rest.load_packaged>false</tests.rest.load_packaged>
         <xlint.options>-Xlint:-rawtypes,-unchecked</xlint.options>
diff --git a/plugins/discovery-gce/src/main/java/org/elasticsearch/plugin/discovery/gce/GceDiscoveryPlugin.java b/plugins/discovery-gce/src/main/java/org/elasticsearch/plugin/discovery/gce/GceDiscoveryPlugin.java
index a17c3962797..5f01a98a5f2 100644
--- a/plugins/discovery-gce/src/main/java/org/elasticsearch/plugin/discovery/gce/GceDiscoveryPlugin.java
+++ b/plugins/discovery-gce/src/main/java/org/elasticsearch/plugin/discovery/gce/GceDiscoveryPlugin.java
@@ -19,6 +19,10 @@
 
 package org.elasticsearch.plugin.discovery.gce;
 
+import com.google.api.client.http.HttpHeaders;
+import com.google.api.client.util.ClassInfo;
+
+import org.elasticsearch.SpecialPermission;
 import org.elasticsearch.cloud.gce.GceComputeService;
 import org.elasticsearch.cloud.gce.GceModule;
 import org.elasticsearch.common.Strings;
@@ -32,11 +36,34 @@ import org.elasticsearch.discovery.gce.GceDiscovery;
 import org.elasticsearch.discovery.gce.GceUnicastHostsProvider;
 import org.elasticsearch.plugins.Plugin;
 
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 
 public class GceDiscoveryPlugin extends Plugin {
+    static {
+        /*
+         * GCE's http client changes access levels because its silly and we
+         * can't allow that on any old stack stack so we pull it here, up front,
+         * so we can cleanly check the permissions for it. Without this changing
+         * the permission can fail if any part of core is on the stack because
+         * our plugin permissions don't allow core to "reach through" plugins to
+         * change the permission. Because that'd be silly.
+         */
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            sm.checkPermission(new SpecialPermission());
+        }
+        AccessController.doPrivileged(new PrivilegedAction<Void>() {
+            @Override
+            public Void run() {
+                ClassInfo.of(HttpHeaders.class, true);
+                return null;
+            }
+        });
+    }
 
     private final Settings settings;
     protected final ESLogger logger = Loggers.getLogger(GceDiscoveryPlugin.class);
diff --git a/plugins/discovery-gce/src/test/java/org/elasticsearch/discovery/gce/RetryHttpInitializerWrapperTests.java b/plugins/discovery-gce/src/test/java/org/elasticsearch/discovery/gce/RetryHttpInitializerWrapperTests.java
index eb3bbad4690..9bbc17feaaa 100644
--- a/plugins/discovery-gce/src/test/java/org/elasticsearch/discovery/gce/RetryHttpInitializerWrapperTests.java
+++ b/plugins/discovery-gce/src/test/java/org/elasticsearch/discovery/gce/RetryHttpInitializerWrapperTests.java
@@ -20,7 +20,13 @@
 package org.elasticsearch.discovery.gce;
 
 import com.google.api.client.googleapis.testing.auth.oauth2.MockGoogleCredential;
-import com.google.api.client.http.*;
+import com.google.api.client.http.GenericUrl;
+import com.google.api.client.http.HttpRequest;
+import com.google.api.client.http.HttpResponse;
+import com.google.api.client.http.HttpResponseException;
+import com.google.api.client.http.HttpStatusCodes;
+import com.google.api.client.http.LowLevelHttpRequest;
+import com.google.api.client.http.LowLevelHttpResponse;
 import com.google.api.client.json.JsonFactory;
 import com.google.api.client.json.jackson2.JacksonFactory;
 import com.google.api.client.testing.http.MockHttpTransport;
@@ -28,16 +34,15 @@ import com.google.api.client.testing.http.MockLowLevelHttpRequest;
 import com.google.api.client.testing.http.MockLowLevelHttpResponse;
 import com.google.api.client.testing.util.MockSleeper;
 import com.google.api.services.compute.Compute;
-import org.junit.Test;
+
+import org.elasticsearch.test.ESTestCase;
 
 import java.io.IOException;
 
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.lessThan;
-import static org.junit.Assert.assertThat;
-import static org.junit.Assert.fail;
 
-public class RetryHttpInitializerWrapperTests {
+public class RetryHttpInitializerWrapperTests extends ESTestCase {
 
     static private class FailThenSuccessBackoffTransport extends MockHttpTransport {
 
@@ -88,7 +93,6 @@ public class RetryHttpInitializerWrapperTests {
         }
     }
 
-    @Test
     public void testSimpleRetry() throws Exception {
 
         FailThenSuccessBackoffTransport fakeTransport =
@@ -112,7 +116,6 @@ public class RetryHttpInitializerWrapperTests {
         assertThat(response.getStatusCode(), equalTo(200));
     }
 
-    @Test
     public void testRetryWaitTooLong() throws Exception {
         int maxWaitTime = 10;
         int maxRetryTimes = 50;
@@ -149,7 +152,6 @@ public class RetryHttpInitializerWrapperTests {
         }
     }
 
-    @Test
     public void testIOExceptionRetry() throws Exception {
 
         FailThenSuccessBackoffTransport fakeTransport =