LocalでApplication Default Credentialsを利用している時にG Suite APIやFirebase APIを実行するとgoogleapi: Error 403: Request had insufficient authentication scopes. になる

[sinmetal]

WHAT

Google SpreadsheetなどのG Suite系のAPIやFirebase APIをApplicationから実行しようとした時に、Application Default Credentialsを利用していると権限があるにも関わらず403でエラーになる。

Refs

• Spreadsheets APIをGoからADCで利用する時のサンプルコード

WHY

gcloud auth application-default login の場合、GCPのScopeは最強のもので取得しているけど、その中にG SuiteやFirebaseは含まれていないからっぽい？

Solution

gcloud auth application-default login --scopes を利用して必要な任意のScopeを設定してやる。

Spreadsheetだと gcloud auth application-default login --scopes "https://www.googleapis.com/auth/spreadsheets" みたいな感じ

[sinmetal]

いっそのこと任意のService AccountのAccessTokenが欲しい場合 creating-short-lived-service-account-credentials が利用するのがよい。

これを実行する場合、対象のServiceAccountに対する token-creator のRoleが必要になると思うので、注意すること(具体的にどのRoleがあればいけるかはsinmetalはまだ試してない)

Go Sample Code

[apstndb]

具体的にはこれですね
https://cloud.google.com/iam/docs/understanding-roles?hl=en#service-accounts-roles

roles/iam.serviceAccountTokenCreator

[apstndb]

Spreadsheetだと gcloud auth application-default login --scopes "https://www.googleapis.com/auth/spreadsheets" みたいな感じ

だと本当に spreadsheets にしかアクセスできなくなるので、デフォルトで gcloud auth application-default login で付くスコープと合わせて

gcloud auth application-default login --scopes "https://www.googleapis.com/auth/spreadsheets,https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/cloud-platform,openid"

の方がよさそう

[sinmetal]

かっちょいい。FirebaseってどんなScopeしてるんだっけ？

[sinmetal]

https://www.googleapis.com/auth/firebase があれば、https://www.googleapis.com/auth/cloud-platform と同じノリでごそっと持てるのかな？

[apstndb]

なお --scopes のデフォルト値は --scopes の説明に書いてある
https://cloud.google.com/sdk/gcloud/reference/auth/application-default/login#--scopes

By default https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/cloud-platform scopes are used. The list of possible scopes can be found at: https://developers.google.com/identity/protocols/googlescopes.

上に書いてある通り、スコープの一覧は
https://developers.google.com/identity/protocols/oauth2/scopes

[apstndb]

https://www.googleapis.com/auth/firebase があれば、https://www.googleapis.com/auth/cloud-platform と同じノリでごそっと持てるのかな？

スコープの一覧にある通り、
https://www.googleapis.com/auth/firebase
が一番広そうですね。
https://www.googleapis.com/auth/firebase.readonly
もある

[sinmetal]

G Suiteはごそっと持つやつはなくて、強いて言えば https://developers.google.com/identity/protocols/oauth2/scopes#scriptv1 を見ながら、必要なやつをせっせと入れる感じかな？

[apstndb]

そうなりそうですねえ

[sinmetal]

なるほどなー。まぁ、G Suite系はでかいし、色んなデータがあるから、致し方ないか

[apstndb]

まあ神のアクセストークンを発行できるリフレッシュトークンがもしも漏れたらと考えるとこわいですしね…

[sinmetal]

#89 もちょい似てる話題だなと思ったので、メモ

[sinmetal]

Drive APIはQuotaProjectのオプションを指定しても、実行時にProjectNumber=764086051850 で固定され googleapi: Error 403: Access Not Configured. Drive API has not been used in project 764086051850 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/drive.googleapis.com/overview?project=764086051850 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry., accessNotConfigured と言われる。

この場合は gcloud auth application-default login --client-id-file を指定してやれば、ClientIDが存在するProjectをQuotaProjectとして実行することができる。

[sinmetal]

2025 年 6 月 23 日以降、 gcloud auth application-default login --scopes=<list of scopes> で指定できるScopeにはgoogle cloudのもののみになります。というお知らせが来た。
そのため、Google Driveのファイルを読み込みたい時などは --client-id-file が必須になるみたいだ。

We’re writing to inform you that the Google Cloud CLI team will be making changes to the scopes supported by gcloud auth application-default login command on or after June 23, 2025.

What you need to know
Starting June 23, 2025:

If you are using gcloud’s OAuth client, all non-cloud scopes will no longer work with the gcloud auth application-default login --scopes=<list of scopes> command.
If you are NOT passing in your own OAuth client through the --client-id-file flag, then you are using gcloud’s OAuth client.
Google Drive scopes are included in the scopes that will be removed.

After June 23, 2025:

If you continue using one of the non-cloud scopes, you will receive the Access Blocked: Authorization Error.

We will continue to support [https://www.googleapis.com/auth/cloud-platform](https://notifications.google.com/g/p/ANiao5qKiaZban9fvLOqRTlWsziprfDIaCbFRYCLp6JQx9mPLaOIoUUXQLT6CjjLQyK1eyS1lGaK1zUawq1bIdHqY_mh7jxYTQb_xBI4H5t84CbC41j75F-CC1vigP7j706q_hcsuptY2SIsWk6Dw040qOsOMUA8nUq79SXaxjPePMqhyz9mMknFm0aRxx_lKlIWrF40oGzsJEYxkqCIpgcvbxrdOp8btrCdqWjqvg) and other Cloud scopes through gcloud’s OAuth client.

If you have obtained tokens with any of the scopes that are being removed, you will be able to continue refreshing the tokens. You will be impacted only when you run gcloud auth application-default login --scopes=<list of scopes> with one of the impacted scopes.

For example, users will be impacted who:

use BigQuery functionality to access data in Google Drive external tables;
use this functionality through BigQuery client libraries; and
generate credentials from the below command.
gcloud auth application-default login --scopes=https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/cloud-platform

What you need to do
No action is required on your part if:

You are not using --scopes to set scopes.
You are not listing any non-cloud scopes in that parameter.
Action is required on your part if any of the following scenarios apply:

You no longer require these certain scopes in your code, we recommend you safely remove them from the scopes flag by only including the scopes you need (For example --scopes=https://www.googleapis.com/auth/cloud-platform).
You still need any non-cloud scope, follow the instructions below to set up your own OAuth client and use it with any scope.
[Create a google cloud project](https://notifications.google.com/g/p/ANiao5pcF7q4d1qvdID0WZYJtVOnXvUpWuSK0wTRgUUFeJai-3jUd134jyvYPAz9LFZUVqhMy8_v0Oriik96i-IcP5Rww1aUSPqOw-FIAycVHXDpx4OKtbsRX6JPHqOTeCQ2HK5Py9cwGcFGF3xw_OrIG9hcKQ1tzTmW7g_68znehzIUExw1nIetYxk81sL-zaqmDuhyhUgSpZkOR5AecRrjGQfn-017HUG-3-rFSCTWnuwk6k3hWzCXJ0alIg) to use for local development and testing. It is recommended to maintain separate projects for development/testing and production.
Follow the [steps](https://notifications.google.com/g/p/ANiao5rPUQGMELl6prBqVAtlfr-hfn6YbOq40zUmMGbU3Jigeb9liY034FEi8vp4MN6FQL4uRziFsGdiNEj_BslxDmGL9W8YQpzJyHWGX-w-Q5VJkKGY01HKfElATTuYGhrB4UXKPTLpgANe4wa6zRSTNgdhTT4gM7Awpon7RNYqQtXpM-mORfbW5kLQfuBNqGYeS9fFKwGIbZ9RZLz3s7vyLGMPWkLniKSPePLd2emTPcH84ulCj1sVeL2MGNwPNM9AMMNgcg) to set up the OAuth Consent Screen and scopes for the project.
If you are part of a Google Workspace organization, you will have the option to select the user type as Internal or External. It is recommended to pick Internal since the project is going to be used for development purposes.
If you are using a gmail account, you only have the External option. By default the Publishing Status is Testing and it is recommended to keep it that way for development purposes.
More details on the User Type and Publishing Status can be found [here](https://notifications.google.com/g/p/ANiao5p2bK90qVkapr6WSluhRr9Om_3N-c-yWCYpjDtJICop6KIZZKRahyEJzfcAMKJ9tMnP4B4RDJ_GPhrfyaAdwM6EuwQbs2Q8Ksr_kkU4cwQe1AtlR-GYSO18MjccE-44r3YFfAMYivcS2ni1MhiFPMbAmzTdZnUSStfbseQkBg__rJ-8KLHmOGbZRascD1qFqbtlim5kfXlizXge9nSKdX_0m_N9DM5Aku9gdNXw).

Create your own OAuth client as described in the ["Setting up OAuth 2.0"](https://notifications.google.com/g/p/ANiao5oznE2cQAWjaQJKfYEMTZn-BVmACSnCvMbjXRxvaQKNfwc4Ltu-Yai-hQKOWy1O3bGwev1zjcYTsBmXWnZngsUI4_J9yc1biAqhQueKKNbBE8SJ4IgbH7J2Oqyapvvowl6EwRc7X-gxv0GjWC2SkUkbNag5EQSgJh0qA6pvGnFvo8s9FP3MyAr-9kNeM8Oy56QVOkEYxpmMhlyAElZuWmXbnLvrTK8NFeYAXSE) instructions.
Note: Make sure you select Desktop App as the Application Type while creating the OAuth client.

Depending upon the admin settings of your organization, your admin might have to configure the OAuth client by following [these steps](https://notifications.google.com/g/p/ANiao5pt5_b2sjhvPJB9DBV_YD2w5Z403V5PNMkB_xjK7A4uQ66RBOVzn6iNeubsMP1iTGMsRX-nIguGOWglRMj67fhZrKLSE5lGOJOOZ2wYSHd_qwg9OEuOBufHvvflsrqqcTdac_vXX51avOQaNAQrVBo5NUQTFqd5RZu3OPngj60rPjQpA6nUMxONndZpKdxkCQ6JWBtF3wOQBCaie5Pj7mIntd7KA70yriwBuA8ILbNBy28).
Download the JSON for the OAuth client you just created and provide it through the [client-id-file flag](https://notifications.google.com/g/p/ANiao5rO7PHob-pWzESqBZFKFY8vyWvBQvgBRCdN_rGXboCSPAE79or1QD6Lp86XssNZP2ZzL5ckKkhgD2RRRGoTJ7BnCTikxOdUtg6PFkXm74vVqaRfHbyUuFNechGJpINnR1PU2jT4X66mV04FYCGk3wlVlZiZjXmjOtdXInXb0ACYhpm9XV8vOmG7Ri-hD0OQTCmFHF8shB0OVEctI9x3NSTK0swbCIg6sBRp8xfrWWY1p6zRn5kgyzApojFcTSJ84HmXegMXxZFcXO3u3WEl6vmVMHwvoXiSX78c) when running the gcloud command. When using your own OAuth client, you will have access to any scope.
Note: If you are running on a headless (no browser) environment, please include the [--no-browser](https://notifications.google.com/g/p/ANiao5qpO2K2IOvbAaSrqIdCuqblRDHOjDY0AGBNm2TH60tqz7Mm-sZFHa4Y5yLYeGxghrTqVC5uBq-vYkciqY000fr_Kt5R4nJB7Q4dU3qecrgF-GbvRq4ZQxSgpiX4XryFqXRM1wI_UvVJzV1j8iBHSGCXrqzF4MJBmGcY7AQfMKa22Emg31fubWXgzO0fzHwIDZj2FzoFeOA4xWfpehr2F8hy_-bwjcmgdZv7Ia4ZZl6OH-VaMqmp-3ghE9tvDm7p58UG8d7hdqj_VY_7aoe-ItjrH1_BbdA) flag.

gcloud auth application-default login --scopes=<your scopes> --client-id-file=<path to the json you downloaded>

Thanks for choosing Google Cloud CLI.