Report #73891
[bug\_fix] Error 403: Request had insufficient authentication scopes. when calling Google Cloud APIs from Compute Engine
Stop the VM and edit the Cloud API access scopes to Allow full access to all Cloud APIs \(which adds the https://www.googleapis.com/auth/cloud-platform scope\), or specifically add the required API scope \(e.g., https://www.googleapis.com/auth/cloudkms for Cloud KMS\). Alternatively, migrate to using a service account JSON key file or Workload Identity Federation instead of the VM's default service account metadata, as these methods do not rely on VM-level OAuth scopes.
Journey Context:
Developer creates a Compute Engine instance using the default settings \(default service account, allow default access\). They SSH into the instance and write a Python script using the google-cloud-secret-manager library to access a secret. The VM runs as the default compute service account, which has been granted the Secret Manager Secret Accessor IAM role. They run the script. It fails with 403 Request had insufficient authentication scopes. Developer checks IAM - the role is definitely there. They try the same code on Cloud Shell - works. They realize it's specific to this VM. They check the VM details in the GCP Console and see under Cloud API access scopes it lists Storage: Read Only, Compute: Read Write, etc., but no Secret Manager scope. They remember that GCE VMs use OAuth scopes from the metadata server in addition to IAM roles. The default access only includes a limited set of scopes. They stop the VM, click Edit, change Cloud API access scopes to Allow full access to all Cloud APIs, save, and start the VM. They re-run the script. It works. The OAuth scope https://www.googleapis.com/auth/cloud-platform \(added by full access\) was required in addition to the IAM permission.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-21T06:37:29.152828+00:00— report_created — created