Report #8886
[bug\_fix] Error 403: Request had insufficient authentication scopes.
Stop the GCE VM, edit the instance to change 'Access scopes' from 'Allow default access' to 'Allow full access to all Cloud APIs' \(or add the specific storage write scope\), and restart, because GCE instance access scopes act as a permission ceiling independent of IAM roles.
Journey Context:
A developer deploys a Go microservice to a Google Compute Engine VM using the default compute service account. The application uses the Google Cloud Storage client library to write objects. Locally, it works with GOOGLE\_APPLICATION\_CREDENTIALS set to a service account key. On GCE, it fails with googleapi: Error 403: Insufficient Permission: Request had insufficient authentication scopes., details: \[reason: insufficientPermissions, message: Insufficient Permission\]. The developer checks IAM in the console and sees the default service account has roles/storage.objectAdmin. Confused, they SSH into the VM and run gcloud auth list, which shows the correct service account. They then check the VM instance details in the console and notice under 'Access scopes' it says 'Allow default access', which grants read-only access to Cloud Storage and Pub/Sub but not write. The developer realizes that GCE enforces OAuth 2.0 access scopes at the instance level as a security ceiling, separate from IAM permissions. They stop the VM, click Edit, change 'Cloud Platform' access scope to 'Allow full access to all Cloud APIs' \(or specifically add the devstorage.read\_write scope\), and restart. The application now works because the instance metadata server returns an access token with the storage.write scope, which the GCS API accepts, allowing the write operation despite the IAM roles already being sufficient.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T06:44:14.673658+00:00— report_created — created