Report #66711
[bug\_fix] GCP Compute Engine 'Request had insufficient authentication scopes' or 403 Forbidden using default service account
Stop using the Compute Engine default service account with limited access scopes. Create a new VM with 'Allow full access to all Cloud APIs' scope \(cloud-platform\), or preferably, attach a custom service account with specific IAM roles \(which ignores access scopes\). For GKE, use Workload Identity instead of the node pool's default service account. The root cause is that GCE VMs use OAuth access scopes as a second layer of restriction; even if the service account has IAM permissions, the VM's scopes \(e.g., 'Allow default access'\) can deny the API call.
Journey Context:
A developer deploys a Python application to a Compute Engine VM that needs to read from Cloud Storage. They use the default Compute Engine service account and grant it the 'Storage Object Viewer' IAM role. However, when the app calls \`storage.Client\(\)\`, it gets a 403 Forbidden with 'Insufficient authentication scopes'. The developer checks IAM permissions repeatedly, confirming the role binding exists. They try creating a new service account key and uploading it to the VM, which works but is insecure. They research and discover that GCE VMs have 'Access Scopes' configured at VM creation time. Checking the VM details in the console, they see 'Cloud Platform: Disabled' and 'Storage: Read Only'. The default 'Allow default access' scope doesn't include Cloud Storage write or full API access. They have to stop the instance, change the scope to 'Allow full access to all Cloud APIs', and restart. Alternatively, they learn that if they use a user-managed service account \(custom SA\) attached to the VM, the access scopes are ignored in favor of IAM permissions, which is the recommended approach.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-20T18:27:29.619500+00:00— report_created — created