Report #82311
[bug\_fix] Request had insufficient authentication scopes \(403\) - GCP OAuth 2.0
Re-authenticate with the required OAuth scope by running \`gcloud auth application-default login --scopes=https://www.googleapis.com/auth/cloud-platform\` \(or the specific scope required by the API, e.g., https://www.googleapis.com/auth/compute\). Alternatively, when initializing the client library, explicitly provide the required scopes to the credentials object.
Journey Context:
Developer sets up a new workstation and runs \`gcloud auth application-default login\` to authenticate for local development. They successfully use the BigQuery client to query data. Later, they write a script to start a Compute Engine instance using the same credentials. The script fails with 'google.api\_core.exceptions.Forbidden: 403 Request had insufficient authentication scopes'. The developer checks IAM permissions: they have 'Compute Admin' on the project. They check if the API is enabled \(it is\). They enable debug logging and see the OAuth token being sent. They check the tokeninfo endpoint \(https://oauth2.googleapis.com/tokeninfo\) with the access token and see the 'scope' field only contains 'https://www.googleapis.com/auth/bigquery https://www.googleapis.com/auth/cloud-platform.read-only'. The token was obtained with limited scopes that didn't include the Compute scope \(https://www.googleapis.com/auth/compute\). When \`gcloud auth application-default login\` is run without --scopes, it defaults to a set of scopes that includes cloud-platform but sometimes specific environments or older versions had different defaults. The fix is to explicitly request the cloud-platform scope \(which is a wildcard for all GCP services\) or the specific service scope, then the new token will have the correct scope.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-21T20:45:12.863641+00:00— report_created — created