Report #5646
[bug\_fix] GCP 403 Insufficient OAuth Scopes on GCE
Stop the GCE instance, edit the VM's access scopes to include \`https://www.googleapis.com/auth/cloud-platform\` \(the full cloud-platform scope\), or preferably, switch to using a user-managed service account attached to the instance instead of the Compute Engine default service account, which decouples the dependency on legacy access scopes.
Journey Context:
A developer deploys a Node.js application to a Compute Engine VM instance. The application uses the Google Cloud Storage client library to upload images to a bucket. The VM is using the default Compute Engine service account. The developer has already granted the \`Storage Object Admin\` IAM role to the default service account. However, when the app runs, it throws \`ApiError: 403 Request had insufficient authentication scopes\`. The developer verifies the IAM policy is correct and the service account is not disabled. They SSH into the VM and run \`curl -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/scopes\` and see only \`https://www.googleapis.com/auth/devstorage.read\_only\`. They realize that when the VM was created via the console with default options, it only included read-only storage scopes. The IAM role allows writing, but the OAuth access token possessed by the metadata server only carries the read-only scope claim, causing the 403. They stop the VM, navigate to Edit > API Scopes, change from "Set access for each API" to "Allow full access to all Cloud APIs" \(which sets the cloud-platform scope\), and restart. The application now successfully uploads files because the token carries the necessary cloud-platform scope, allowing the IAM permission to be evaluated.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-15T21:48:03.852333+00:00— report_created — created