diff --git a/plugins/secretstores/googlecloud/README.md b/plugins/secretstores/googlecloud/README.md
index a6e549db2cf95..35083c5882a76 100644
--- a/plugins/secretstores/googlecloud/README.md
+++ b/plugins/secretstores/googlecloud/README.md
@@ -27,6 +27,12 @@ store usage.
   ## Path to the service account credentials file
   credentials_file = "./testdata/gdch.json"
 
+  ## OAuth2 scopes for the generated access token.
+  ## Defaults to cloud-platform for service-account credentials.
+  ## GDCH/STS users can ignore this option as only the audience
+  ## parameter is evaluated for those credential types.
+  # scopes = ["https://www.googleapis.com/auth/cloud-platform"]
+
   ## Audience sent to when retrieving an STS token.
   ## Currently only used for GDCH auth flow
   sts_audience = "https://{AUDIENCE_URL}"
diff --git a/plugins/secretstores/googlecloud/googlecloud.go b/plugins/secretstores/googlecloud/googlecloud.go
index e6e4c72a8bdb9..647109fdfe072 100644
--- a/plugins/secretstores/googlecloud/googlecloud.go
+++ b/plugins/secretstores/googlecloud/googlecloud.go
@@ -49,9 +49,18 @@ func (g *GoogleCloud) Init() error {
 	if err != nil {
 		return fmt.Errorf("unable to parse credentials file type: %w", err)
 	}
+
+	// Default to cloud-platform scope for standard public-GCP service-account JSON keys.
+	// This covers all GCP APIs; actual permissions are still gated by IAM roles.
+	// GDCH/STS users continue to rely exclusively on sts_audience (Scopes is ignored).
+	if len(g.Scopes) == 0 && credType == "service_account" {
+		g.Scopes = []string{"https://www.googleapis.com/auth/cloud-platform"}
+	}
+
 	saType := credentials.CredType(credType)
 
 	creds, err := credentials.NewCredentialsFromJSON(saType, serviceAccount, &credentials.DetectOptions{
+		Scopes:      g.Scopes,
 		STSAudience: g.STSAudience,
 		Client:      client,
 		Logger:      slog.NewLogger(g.Log),
diff --git a/plugins/secretstores/googlecloud/sample.conf b/plugins/secretstores/googlecloud/sample.conf
index 4b50482845e4b..be6176620906f 100644
--- a/plugins/secretstores/googlecloud/sample.conf
+++ b/plugins/secretstores/googlecloud/sample.conf
@@ -8,6 +8,12 @@
   ## Path to the service account credentials file
   credentials_file = "./testdata/gdch.json"
 
+  ## OAuth2 scopes for the generated access token.
+  ## Defaults to cloud-platform for service-account credentials.
+  ## GDCH/STS users can ignore this option as only the audience
+  ## parameter is evaluated for those credential types.
+  # scopes = ["https://www.googleapis.com/auth/cloud-platform"]
+
   ## Audience sent to when retrieving an STS token.
   ## Currently only used for GDCH auth flow
   sts_audience = "https://{AUDIENCE_URL}"