I've created a gcloud compute instance where I would like to perform operations within the same project using the storage.objects.get and firebasedatabase.instances.update scopes.
Each instance is created with the Compute Engine default service account [email protected] which has Editor roles within the project. Because of this I assumed the instance would have the required permissions when initialized using
admin.initializeApp({
credential: admin.credential.applicationDefault()
});
Requesting a firestore instance however results in the error Request had insufficient authentication scopes.
Now I've noticed that if I gcloud compute instances describe my-instance the result mentions both an email and scopes for serviceAccounts:
"serviceAccounts": [
{
"email": "[email protected]",
"scopes": [
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
"https://www.googleapis.com/auth/pubsub",
"https://www.googleapis.com/auth/service.management.readonly",
"https://www.googleapis.com/auth/servicecontrol",
"https://www.googleapis.com/auth/trace.append"
]
}
]
What's the relation between the service account email and the predefined scopes? Is the instance not applying all scopes of the service account?
Even if I want to adjust my scopes I would need some help on translating the storage.objects.get and firebasedatabase.instances.update iam definitions to the https://www.googleapis.com/auth/scope format. (https://www.googleapis.com/auth/firebasedatabase.instances.update does not exist)
