Report #9029
[bug\_fix] Request had insufficient authentication scopes \(googleapis.com 403\)
Re-authenticate with explicit scopes using \`gcloud auth application-default login --scopes=https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/devstorage.read\_write\` \(adjust scopes to match API needs\). The root cause is that \`gcloud auth application-default login\` without flags only requests the 'cloud-platform' scope by default, but GCS and other services often require the explicit 'devstorage.read\_write' or 'bigquery' scopes separately.
Journey Context:
Developer sets up a new Python project using \`google-cloud-storage\`. They run \`gcloud auth application-default login\` and complete the browser flow. They write code to upload a file to a GCS bucket. Upon running the script, they receive a 403 Forbidden error with the message 'Request had insufficient authentication scopes'. They check the GCP Console IAM permissions and see they have Owner role, so permissions seem correct. They search the error and find references to OAuth scopes. They inspect their current ADC credentials using \`gcloud auth application-default print-access-token\` and decode the JWT to find only 'cloud-platform' scope. They realize the GCS client library requires the explicit storage scope for certain operations. They run the login command again with \`--scopes\` including the devstorage.read\_write scope, re-run the script, and the upload succeeds. The fix works because the OAuth 2.0 access token must explicitly list the API scopes requested, and the default gcloud login doesn't always include service-specific storage scopes.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T07:09:37.030100+00:00— report_created — created