Remove redundant OAuth scopes from the provider.

[upodroid]

In GoogleCloudPlatform/magic-modules#4321 we scrubbed all references to redundant OAuth scopes in examples as the current best practice is to use custom service accounts on VMs that are scoped to cloud-platform and control its access via IAM roles.

In the next major release of the provider, the default scopes that the provider uses needs to be changed as well.

terraform-provider-google/google/config.go

Line 219 in 179ede2

var DefaultClientScopes = []string{

# These need to be removed as they are part of the cloud-platform scope

"https://www.googleapis.com/auth/compute",
"https://www.googleapis.com/auth/ndev.clouddns.readwrite",
"https://www.googleapis.com/auth/devstorage.full_control",
"https://www.googleapis.com/auth/cloud-identity",

References

• https://cloud.google.com/compute/docs/access/service-accounts#service_account_permissions
• https://cloud.google.com/iam/docs/service-accounts#access_scopes

[upodroid]

Can we also remove https://www.googleapis.com/auth/cloud-identity scope too?

Cloud Identity API works with the cloud-platform. Noticed this while working on unrelated task.

https://developers.google.com/identity/protocols/oauth2/scopes#cloudidentity

# On a GCE VM
mahamed@gsuite:~$ TOKEN=$(gcloud auth print-access-token)
mahamed@gsuite:~$ http https://cloudidentity.googleapis.com/v1/groups:lookup?groupKey.id=REDACTED@REDACTED "Authorization: Bearer $TOKEN"
HTTP/1.1 200 OK
Cache-Control: private
Content-Encoding: gzip
Content-Type: application/json; charset=UTF-8
Date: Wed, 04 Aug 2021 13:38:40 GMT
Server: ESF
Transfer-Encoding: chunked
Vary: Origin
Vary: X-Origin
Vary: Referer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 0
{
    "name": "groups/REDACTED"
}
mahamed@gsuite:~$ http https://oauth2.googleapis.com/tokeninfo "Authorization: Bearer $TOKEN"
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Encoding: gzip
Content-Type: application/json; charset=UTF-8
Date: Wed, 04 Aug 2021 13:38:56 GMT
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Server: ESF
Transfer-Encoding: chunked
Vary: Origin
Vary: X-Origin
Vary: Referer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 0
{
    "access_type": "online",
    "aud": "111995373771645511267",
    "azp": "111995373771645511267",
    "exp": "1628087917",
    "expires_in": "3580",
    "scope": "https://www.googleapis.com/auth/cloud-platform"
}

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.