getApplicationDefault not taking the IAM account from meta server in GCP

[justinvj15]

package:

"com.google.api-client" % "google-api-client" % "2.0.0"
"com.google.apis" % "google-api-services-sheets" % "v4-rev20220927-2.0.0"

Mine is a scala application running as K8S pod in GCP. inside the pod, I can call the curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/" -H "Metadata-Flavor: Google" url and i can get the IAM account which have the required permission to write to google sheet api.
i am using below code snippet

import com.google.api.client.googleapis.auth.oauth2.GoogleCredential
import com.google.api.client.json.gson.GsonFactory
import com.google.api.client.auth.oauth2.Credential
import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport
import com.google.api.services.sheets.v4.model._
import com.google.api.services.sheets.v4.{Sheets, SheetsScopes}

  private val credentials = GoogleCredential.getApplicationDefault
    .createDelegated("sample@sampl.com")
    .createScoped(util.Arrays.asList(SheetsScopes.SPREADSHEETS))
  logger.info(
    s"print ${credentials.getServiceAccountScopesAsString}  ${credentials.getServiceAccountUser} ${credentials.getServiceAccountProjectId}"
  )

print statement returns null values for all the methods called. This works fine with setting GOOGLE_APPLICATION_CREDENTIALS env with json file of the IAM account. but does not work with IAM credentials from meta server. always getting below error

com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
POST https://sheets.googleapis.com/v4/spreadsheets
{
  "code": 403,
  "details": [
    {
      "@type": "type.googleapis.com/google.rpc.ErrorInfo",
      "reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT"
    }
  ],
  "errors": [
    {
      "domain": "global",
      "message": "Insufficient Permission",
      "reason": "insufficientPermissions"
    }
  ],
  "message": "Request had insufficient authentication scopes.",
  "status": "PERMISSION_DENIED"
}
	at com.google.api.client.googleapis.json.GoogleJsonResponseException.from(GoogleJsonResponseException.java:146)
	at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:118)
	at 

[suztomo]

Am I understanding the situation correctly with the below?

Works fine

Download the JSON file of the compute IAM account and set GOOGLE_APPLICATION_CREDENTIALS to point to the file.

It does not work

Download curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/" -H "Metadata-Flavor: Google" and use the credentials.

Would you share the documentation URL that you referenced (other than below)?

• https://cloud.google.com/docs/authentication/application-default-credentials
• https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#applications
• https://cloud.google.com/kubernetes-engine/docs/tutorials/authenticating-to-cloud-platform#use_the_default_service_account

The last one has the following explanation

Use the default Compute Engine service account
Each node in a GKE cluster is a Compute Engine instance. Therefore, applications running on a GKE cluster by default attempt to authenticate using the "Compute Engine default service account", and inherit the associated scopes.

Do you observe this default compute engine service account not working?

[burkedavison]

Closing issue due to lack of OP response. Please reopen if this is still an issue.