Report #36403
[bug\_fix] Request had insufficient authentication scopes \(HTTP 403\) when using the default Compute Engine service account to access Google Cloud Storage, BigQuery, or other GCP APIs
Stop the VM and edit the access scopes to include the required OAuth scope \(e.g., https://www.googleapis.com/auth/devstorage.read\_write\), then restart; or preferably, attach a user-managed service account to the VM with the appropriate IAM roles and set the access scope to 'Allow full access to all Cloud APIs' \(cloud-platform\). Root cause: OAuth access scopes are capability boundaries assigned to the VM at creation time that limit the permissions available to the access token obtained from the metadata server, regardless of IAM roles granted to the service account.
Journey Context:
You create a Compute Engine VM using the default service account and the default 'Allow default access' scope. You deploy a Python application using the google-cloud-storage library that uploads files to a GCS bucket. The service account has been granted the 'Storage Object Admin' IAM role on the bucket. However, the application fails with 'Forbidden: 403 POST https://storage.googleapis.com/upload/storage/v1/b/...: Request had insufficient authentication scopes.' You SSH into the VM and run 'curl -H Metadata-Flavor:Google http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/scopes' and see only \['https://www.googleapis.com/auth/devstorage.read\_only', 'https://www.googleapis.com/auth/logging.write'\]. You realize the VM was created without the devstorage.read\_write scope. You stop the VM, edit the access scopes to include Storage Read Write, start the VM, and the upload succeeds because the metadata server now issues tokens with the necessary OAuth scope.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-18T15:34:28.070099+00:00— report_created — created