Report #11370
[bug\_fix] Request had insufficient authentication scopes \(403\)
Re-authenticate with the required OAuth scope explicitly included, or configure Application Default Credentials \(ADC\) to request the specific scope \(e.g., via gcloud auth application-default login --scopes\). The root cause is that the OAuth 2.0 access token was minted for a set of scopes that does not include the API method being invoked; GCP enforces scope validation before IAM permission checks.
Journey Context:
You are developing locally using the Python google-cloud-storage library. You run gcloud auth login successfully and can list buckets via gsutil, but your script fails with 'Request had insufficient authentication scopes' when calling bucket.blob\(\).upload\_from\_string\(\). You check the service account IAM policy and confirm it has roles/storage.admin. You inspect the token using gcloud auth print-access-token and decode it on jwt.io, noticing the scope claim only contains 'https://www.googleapis.com/auth/cloud-platform'. You initially assume this broad scope includes storage, but realize the library is requesting 'https://www.googleapis.com/auth/devstorage.read\_write' which is not in the token. You discover that gcloud auth application-default login without --scopes might grant only the cloud-platform scope depending on the gcloud version, or the specific API requires an additional scope not included in the default ADC flow. You run gcloud auth application-default login --scopes=https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/devstorage.read\_write, which updates the ADC JSON file. The script now works because the access token acquired by the library now contains the specific storage scope required by the Cloud Storage XML/JSON API for write operations.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T13:12:22.859923+00:00— report_created — created