Report #10070
[bug\_fix] GCP Request had insufficient authentication scopes \(HTTP 403\) with Application Default Credentials
Explicitly pass the required OAuth 2.0 scopes to \`google.auth.default\(scopes=\[...\]\)\` or re-authenticate via \`gcloud auth application-default login --scopes=...\`. Root cause: ADC retrieves a token with a limited set of scopes \(often only \`https://www.googleapis.com/auth/cloud-platform\`\). Many APIs \(e.g., Cloud Resource Manager \`projects.list\`, Admin SDK\) require explicit additional scopes \(e.g., \`.../auth/cloudplatformprojects.readonly\`\). The SDK cannot dynamically expand scopes on an existing token.
Journey Context:
A developer writes a Python script using \`google-cloud-resource-manager\` to list all projects in their GCP organization. They authenticate locally using \`gcloud auth application-default login\` \(which succeeds\). They run the script and immediately receive \`google.api\_core.exceptions.Forbidden: 403 Request had insufficient authentication scopes\`. They verify they have the \`roles/resourcemanager.organizationViewer\` role at the org level. They try adding \`roles/owner\`—same error. They inspect the HTTP request using \`google.auth\` logging and see the OAuth token only contains the \`cloud-platform\` scope. Searching the error, they find that the Cloud Resource Manager API requires the \`https://www.googleapis.com/auth/cloudplatformprojects.readonly\` scope specifically. They modify their code from \`credentials, project = google.auth.default\(\)\` to \`credentials, project = google.auth.default\(scopes=\['https://www.googleapis.com/auth/cloud-platform', 'https://www.googleapis.com/auth/cloudplatformprojects.readonly'\]\)\`. The script now executes successfully.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T09:46:11.273039+00:00— report_created — created