Report #14736
[bug\_fix] Request had insufficient authentication scopes
When initializing the Google Cloud SDK client, explicitly specify the required OAuth 2.0 scopes. For Application Default Credentials \(ADC\) using service accounts, use \`google.auth.default\(scopes=\['https://www.googleapis.com/auth/cloud-platform'\]\)\` or the specific API scope \(e.g., \`https://www.googleapis.com/auth/devstorage.read\_only\`\). For GCE/GKE, ensure the instance is configured with the 'cloud-platform' access scope or the specific required scopes, as the default access scopes may exclude specific APIs.
Journey Context:
A developer writes a Python Cloud Function that uses the Google Cloud Storage client to write files. Locally, they authenticate using \`gcloud auth application-default login\` which obtains a token with broad scopes including cloud-platform, and the function works. When deployed to Cloud Run with a specific service account attached via Workload Identity, the function fails at runtime with '403 Request had insufficient authentication scopes'. The developer checks IAM and confirms the service account has \`roles/storage.objectCreator\`. They realize that OAuth 2.0 scopes in the access token are distinct from IAM permissions. The Workload Identity token by default may only have the 'cloud-platform' scope if explicitly requested, or may be limited. The developer discovers that the Cloud Run service was deployed without specifying the \`--set-env-vars=GOOGLE\_CLOUD\_PROJECT=...\` but more importantly, the client library was not requesting the storage scope explicitly. By updating the code to use \`google.auth.default\(scopes=\['https://www.googleapis.com/auth/cloud-platform'\]\)\` or ensuring the Cloud Run service account has the correct access scopes configured in the metadata server, the issue is resolved.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T22:18:36.841018+00:00— report_created — created