From 26066a824cbf1015063779cc4df199eaaa195e5a Mon Sep 17 00:00:00 2001 From: CFK5A0 Date: Sat, 18 Apr 2026 12:50:03 -0500 Subject: [PATCH 1/7] secretstores/googlecloud: default minimal Cloud Monitoring scope for standard service-account JSON keys MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When using a normal GCP service-account key (the JSON downloaded from the Cloud Console, type: "service_account") with the new secret store + token = "@{id:token}" pattern in outputs.stackdriver, the Google auth library previously received an unscoped token that was rejected by the Monitoring API. This change adds a tiny guarded default in Init(): - If credType == "service_account" and no scopes are explicitly set, automatically use ["https://www.googleapis.com/auth/monitoring"]. The existing GDCH/STS flow (via sts_audience) is completely untouched. The new `scopes` config option is also available for users who need a different set (e.g. cloud-platform). No changes to stackdriver.go or any other plugin — keeps the PR as small and low-risk as possible --- plugins/secretstores/googlecloud/README.md | 6 ++++++ plugins/secretstores/googlecloud/googlecloud.go | 9 +++++++++ plugins/secretstores/googlecloud/sample.conf | 6 ++++++ 3 files changed, 21 insertions(+) diff --git a/plugins/secretstores/googlecloud/README.md b/plugins/secretstores/googlecloud/README.md index a6e549db2cf95..7e4fa9031d38f 100644 --- a/plugins/secretstores/googlecloud/README.md +++ b/plugins/secretstores/googlecloud/README.md @@ -27,6 +27,12 @@ store usage. ## Path to the service account credentials file credentials_file = "./testdata/gdch.json" + ## Scopes for the generated access token. + ## Only used for standard public-GCP service-account JSON keys ("type": "service_account"). + ## Defaults to the minimal scope needed for Cloud Monitoring / Stackdriver. + ## GDCH/STS users should leave this unset (they rely on sts_audience instead). + # scopes = ["https://www.googleapis.com/auth/monitoring"] + ## Audience sent to when retrieving an STS token. ## Currently only used for GDCH auth flow sts_audience = "https://{AUDIENCE_URL}" diff --git a/plugins/secretstores/googlecloud/googlecloud.go b/plugins/secretstores/googlecloud/googlecloud.go index e6e4c72a8bdb9..8975d5563dc6e 100644 --- a/plugins/secretstores/googlecloud/googlecloud.go +++ b/plugins/secretstores/googlecloud/googlecloud.go @@ -28,6 +28,7 @@ func (*GoogleCloud) SampleConfig() string { type GoogleCloud struct { STSAudience string `toml:"sts_audience"` CredentialsFile string `toml:"credentials_file"` + Scopes []string `toml:"scopes"` // used for standard public-GCP service_account keys Log telegraf.Logger `toml:"-"` common_http.HTTPClientConfig @@ -49,9 +50,17 @@ func (g *GoogleCloud) Init() error { if err != nil { return fmt.Errorf("unable to parse credentials file type: %w", err) } + + // Default minimal scope only for standard public-GCP service-account JSON keys. + // GDCH/STS users continue to rely exclusively on sts_audience (Scopes is ignored). + if len(g.Scopes) == 0 && credType == "service_account" { + g.Scopes = []string{"https://www.googleapis.com/auth/monitoring"} + } + saType := credentials.CredType(credType) creds, err := credentials.NewCredentialsFromJSON(saType, serviceAccount, &credentials.DetectOptions{ + Scopes: g.Scopes, // new STSAudience: g.STSAudience, Client: client, Logger: slog.NewLogger(g.Log), diff --git a/plugins/secretstores/googlecloud/sample.conf b/plugins/secretstores/googlecloud/sample.conf index 4b50482845e4b..38ca8e4b2ec51 100644 --- a/plugins/secretstores/googlecloud/sample.conf +++ b/plugins/secretstores/googlecloud/sample.conf @@ -8,6 +8,12 @@ ## Path to the service account credentials file credentials_file = "./testdata/gdch.json" + ## Scopes for the generated access token. + ## Only used for standard public-GCP service-account JSON keys ("type": "service_account"). + ## Defaults to the minimal scope needed for Cloud Monitoring / Stackdriver. + ## GDCH/STS users should leave this unset (they rely on sts_audience instead). + # scopes = ["https://www.googleapis.com/auth/monitoring"] + ## Audience sent to when retrieving an STS token. ## Currently only used for GDCH auth flow sts_audience = "https://{AUDIENCE_URL}" From 895dc3e4cea5aeea365bbc94b16b0c4ea9c20e24 Mon Sep 17 00:00:00 2001 From: CFK5A0 Date: Thu, 23 Apr 2026 12:20:23 -0500 Subject: [PATCH 2/7] rename scopes to credential_scopes to stop collision with existing embedded scopes struct value --- plugins/secretstores/googlecloud/README.md | 2 +- plugins/secretstores/googlecloud/googlecloud.go | 2 +- plugins/secretstores/googlecloud/sample.conf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/secretstores/googlecloud/README.md b/plugins/secretstores/googlecloud/README.md index 7e4fa9031d38f..66b2f9f8f3c15 100644 --- a/plugins/secretstores/googlecloud/README.md +++ b/plugins/secretstores/googlecloud/README.md @@ -31,7 +31,7 @@ store usage. ## Only used for standard public-GCP service-account JSON keys ("type": "service_account"). ## Defaults to the minimal scope needed for Cloud Monitoring / Stackdriver. ## GDCH/STS users should leave this unset (they rely on sts_audience instead). - # scopes = ["https://www.googleapis.com/auth/monitoring"] + credential_scopes = ["https://www.googleapis.com/auth/monitoring"] ## Audience sent to when retrieving an STS token. ## Currently only used for GDCH auth flow diff --git a/plugins/secretstores/googlecloud/googlecloud.go b/plugins/secretstores/googlecloud/googlecloud.go index 8975d5563dc6e..00281a37bcbfc 100644 --- a/plugins/secretstores/googlecloud/googlecloud.go +++ b/plugins/secretstores/googlecloud/googlecloud.go @@ -28,7 +28,7 @@ func (*GoogleCloud) SampleConfig() string { type GoogleCloud struct { STSAudience string `toml:"sts_audience"` CredentialsFile string `toml:"credentials_file"` - Scopes []string `toml:"scopes"` // used for standard public-GCP service_account keys + Scopes []string `toml:"credential_scopes"` // used for standard public-GCP service_account keys Log telegraf.Logger `toml:"-"` common_http.HTTPClientConfig diff --git a/plugins/secretstores/googlecloud/sample.conf b/plugins/secretstores/googlecloud/sample.conf index 38ca8e4b2ec51..99fe50ca152e9 100644 --- a/plugins/secretstores/googlecloud/sample.conf +++ b/plugins/secretstores/googlecloud/sample.conf @@ -12,7 +12,7 @@ ## Only used for standard public-GCP service-account JSON keys ("type": "service_account"). ## Defaults to the minimal scope needed for Cloud Monitoring / Stackdriver. ## GDCH/STS users should leave this unset (they rely on sts_audience instead). - # scopes = ["https://www.googleapis.com/auth/monitoring"] + credential_scopes = ["https://www.googleapis.com/auth/monitoring"] ## Audience sent to when retrieving an STS token. ## Currently only used for GDCH auth flow From 30f13ed0e3c1d7f3bd788d87755ed30b151741b6 Mon Sep 17 00:00:00 2001 From: Casey Flanigan <69858641+crflanigan@users.noreply.github.com> Date: Mon, 27 Apr 2026 10:48:16 -0500 Subject: [PATCH 3/7] Update plugins/secretstores/googlecloud/sample.conf Co-authored-by: Sven Rebhan <36194019+srebhan@users.noreply.github.com> --- plugins/secretstores/googlecloud/sample.conf | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/plugins/secretstores/googlecloud/sample.conf b/plugins/secretstores/googlecloud/sample.conf index 99fe50ca152e9..b5717b9c8e86d 100644 --- a/plugins/secretstores/googlecloud/sample.conf +++ b/plugins/secretstores/googlecloud/sample.conf @@ -8,11 +8,10 @@ ## Path to the service account credentials file credentials_file = "./testdata/gdch.json" - ## Scopes for the generated access token. - ## Only used for standard public-GCP service-account JSON keys ("type": "service_account"). - ## Defaults to the minimal scope needed for Cloud Monitoring / Stackdriver. - ## GDCH/STS users should leave this unset (they rely on sts_audience instead). - credential_scopes = ["https://www.googleapis.com/auth/monitoring"] + ## Scopes for the generated access token + ## Required for public-GCP service-accounts; GDCH/STS users can + ## ignore this option as only the audience parameter is evaluated. + # credential_scopes = ["https://www.googleapis.com/auth/monitoring"] ## Audience sent to when retrieving an STS token. ## Currently only used for GDCH auth flow From 7792ab0a2ea5ec8ba15f462b72861b9076b1a791 Mon Sep 17 00:00:00 2001 From: CFK5A0 Date: Tue, 28 Apr 2026 09:29:52 -0500 Subject: [PATCH 4/7] Run make docs --- plugins/secretstores/googlecloud/README.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/plugins/secretstores/googlecloud/README.md b/plugins/secretstores/googlecloud/README.md index 66b2f9f8f3c15..fdef5c78331ef 100644 --- a/plugins/secretstores/googlecloud/README.md +++ b/plugins/secretstores/googlecloud/README.md @@ -27,11 +27,10 @@ store usage. ## Path to the service account credentials file credentials_file = "./testdata/gdch.json" - ## Scopes for the generated access token. - ## Only used for standard public-GCP service-account JSON keys ("type": "service_account"). - ## Defaults to the minimal scope needed for Cloud Monitoring / Stackdriver. - ## GDCH/STS users should leave this unset (they rely on sts_audience instead). - credential_scopes = ["https://www.googleapis.com/auth/monitoring"] + ## Scopes for the generated access token + ## Required for public-GCP service-accounts; GDCH/STS users can + ## ignore this option as only the audience parameter is evaluated. + # credential_scopes = ["https://www.googleapis.com/auth/monitoring"] ## Audience sent to when retrieving an STS token. ## Currently only used for GDCH auth flow From 64f33553ad790b0d167d41b6de64c8e6eb8d8137 Mon Sep 17 00:00:00 2001 From: Casey Flanigan <69858641+crflanigan@users.noreply.github.com> Date: Wed, 29 Apr 2026 10:49:14 -0500 Subject: [PATCH 5/7] Update plugins/secretstores/googlecloud/googlecloud.go Co-authored-by: skartikey --- plugins/secretstores/googlecloud/googlecloud.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/secretstores/googlecloud/googlecloud.go b/plugins/secretstores/googlecloud/googlecloud.go index 00281a37bcbfc..f810a4764ea57 100644 --- a/plugins/secretstores/googlecloud/googlecloud.go +++ b/plugins/secretstores/googlecloud/googlecloud.go @@ -60,7 +60,7 @@ func (g *GoogleCloud) Init() error { saType := credentials.CredType(credType) creds, err := credentials.NewCredentialsFromJSON(saType, serviceAccount, &credentials.DetectOptions{ - Scopes: g.Scopes, // new + Scopes: g.Scopes, STSAudience: g.STSAudience, Client: client, Logger: slog.NewLogger(g.Log), From 385229fe8e21e0a5c29982d187d039412bf3ba09 Mon Sep 17 00:00:00 2001 From: Casey Flanigan <69858641+crflanigan@users.noreply.github.com> Date: Wed, 29 Apr 2026 10:49:45 -0500 Subject: [PATCH 6/7] Update plugins/secretstores/googlecloud/googlecloud.go Co-authored-by: skartikey --- plugins/secretstores/googlecloud/googlecloud.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/secretstores/googlecloud/googlecloud.go b/plugins/secretstores/googlecloud/googlecloud.go index f810a4764ea57..79145623d0b12 100644 --- a/plugins/secretstores/googlecloud/googlecloud.go +++ b/plugins/secretstores/googlecloud/googlecloud.go @@ -28,7 +28,7 @@ func (*GoogleCloud) SampleConfig() string { type GoogleCloud struct { STSAudience string `toml:"sts_audience"` CredentialsFile string `toml:"credentials_file"` - Scopes []string `toml:"credential_scopes"` // used for standard public-GCP service_account keys + CredentialScopes []string `toml:"credential_scopes"` Log telegraf.Logger `toml:"-"` common_http.HTTPClientConfig From a0502632b18ad3b55706aeaea81a7a940f0de8f3 Mon Sep 17 00:00:00 2001 From: CFK5A0 Date: Fri, 1 May 2026 12:55:29 -0500 Subject: [PATCH 7/7] Remove dead code, default to more compatible API endpoint, update docs --- plugins/secretstores/googlecloud/README.md | 9 +++++---- plugins/secretstores/googlecloud/googlecloud.go | 6 +++--- plugins/secretstores/googlecloud/sample.conf | 9 +++++---- 3 files changed, 13 insertions(+), 11 deletions(-) diff --git a/plugins/secretstores/googlecloud/README.md b/plugins/secretstores/googlecloud/README.md index fdef5c78331ef..35083c5882a76 100644 --- a/plugins/secretstores/googlecloud/README.md +++ b/plugins/secretstores/googlecloud/README.md @@ -27,10 +27,11 @@ store usage. ## Path to the service account credentials file credentials_file = "./testdata/gdch.json" - ## Scopes for the generated access token - ## Required for public-GCP service-accounts; GDCH/STS users can - ## ignore this option as only the audience parameter is evaluated. - # credential_scopes = ["https://www.googleapis.com/auth/monitoring"] + ## OAuth2 scopes for the generated access token. + ## Defaults to cloud-platform for service-account credentials. + ## GDCH/STS users can ignore this option as only the audience + ## parameter is evaluated for those credential types. + # scopes = ["https://www.googleapis.com/auth/cloud-platform"] ## Audience sent to when retrieving an STS token. ## Currently only used for GDCH auth flow diff --git a/plugins/secretstores/googlecloud/googlecloud.go b/plugins/secretstores/googlecloud/googlecloud.go index 79145623d0b12..647109fdfe072 100644 --- a/plugins/secretstores/googlecloud/googlecloud.go +++ b/plugins/secretstores/googlecloud/googlecloud.go @@ -28,7 +28,6 @@ func (*GoogleCloud) SampleConfig() string { type GoogleCloud struct { STSAudience string `toml:"sts_audience"` CredentialsFile string `toml:"credentials_file"` - CredentialScopes []string `toml:"credential_scopes"` Log telegraf.Logger `toml:"-"` common_http.HTTPClientConfig @@ -51,10 +50,11 @@ func (g *GoogleCloud) Init() error { return fmt.Errorf("unable to parse credentials file type: %w", err) } - // Default minimal scope only for standard public-GCP service-account JSON keys. + // Default to cloud-platform scope for standard public-GCP service-account JSON keys. + // This covers all GCP APIs; actual permissions are still gated by IAM roles. // GDCH/STS users continue to rely exclusively on sts_audience (Scopes is ignored). if len(g.Scopes) == 0 && credType == "service_account" { - g.Scopes = []string{"https://www.googleapis.com/auth/monitoring"} + g.Scopes = []string{"https://www.googleapis.com/auth/cloud-platform"} } saType := credentials.CredType(credType) diff --git a/plugins/secretstores/googlecloud/sample.conf b/plugins/secretstores/googlecloud/sample.conf index b5717b9c8e86d..be6176620906f 100644 --- a/plugins/secretstores/googlecloud/sample.conf +++ b/plugins/secretstores/googlecloud/sample.conf @@ -8,10 +8,11 @@ ## Path to the service account credentials file credentials_file = "./testdata/gdch.json" - ## Scopes for the generated access token - ## Required for public-GCP service-accounts; GDCH/STS users can - ## ignore this option as only the audience parameter is evaluated. - # credential_scopes = ["https://www.googleapis.com/auth/monitoring"] + ## OAuth2 scopes for the generated access token. + ## Defaults to cloud-platform for service-account credentials. + ## GDCH/STS users can ignore this option as only the audience + ## parameter is evaluated for those credential types. + # scopes = ["https://www.googleapis.com/auth/cloud-platform"] ## Audience sent to when retrieving an STS token. ## Currently only used for GDCH auth flow