Skip to content

--scopes-preset all produces a token that can't read any data (includes cloud-platform) #3

Description

@arohan0929

Summary

Running auth login with the all preset produces credentials that can't query any health data. Every data command fails with 403 "Request contains disallowed OAuth scope(s)." The all preset includes the cloud-platform scope, and the data-plane endpoints reject any token that carries it.

Steps to reproduce

ghealth auth login --scopes-preset all
ghealth data steps daily-rollup --from 2026-06-25 --to 2026-07-02

Actual result

{
  "error": {
    "type": "api",
    "status": 403,
    "message": "Request contains disallowed OAuth scope(s).",
    "hint": "Check that the Health API is enabled and you have the required OAuth scopes"
  }
}

A tokeninfo call confirms cloud-platform is present alongside the googlehealth.* scopes.

Cause

ScopePreset("all") in pkg/auth/auth.go:199 returns every entry in AllScopes, and cloud-platform is one of them (pkg/auth/auth.go:66). So all means every scope, including the webhook-admin one, which breaks reads.

This incompatibility is already documented, but only in the webhooks command help and the source comment at cmd/webhooks.go:50 ("a token carrying cloud-platform is REJECTED by the data-plane endpoints"). Nothing near setup, auth login, or the preset docs mentions it, so picking all looks like the obvious choice and quietly breaks data reads.

What worked for me

Excluding cloud-platform from the all preset so it only covers data scopes. Webhook admin still works through a separate --scopes cloud-platform login, which is the pattern the docs already describe.

Version: ghealth 0.1.0 (dev)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions