[Storage] patch_metadata default scope not at the expected level for service_acount key

[djowalker]

Hello, not sure if it is an issue, but I share what happened to me.

Explanation

https://www.googleapis.com/auth/devstorage.read_write : Allows access to read and change data, but not metadata like IAM policies.

So when patching metadata and using a service account key, the api return is :

{
  "error": {
    "code": 403,
    "message": "Provided scope(s) are not authorized",
    "errors": [
      {
        "message": "Provided scope(s) are not authorized",
        "domain": "global",
        "reason": "forbidden"
      }
    ]
  }
}

According to : Cloud Storage OAuth 2.0 scopes | Google Cloud

The default scope for patch_metadata should have been :
https://www.googleapis.com/auth/devstorage.full_control
to be able to PATCH.

As said here :
Objects: patch | Cloud Storage | Google Cloud :
“To return ACLs as part of the response, the authenticated user must also have the storage.objects.getIamPolicy permission.”

My understanding is to be able to retrieve the ACLs even we do not use them.

Easy Workaround usage :

        SCOPE_FULL_CONTROL = "https://www.googleapis.com/auth/devstorage.full_control"
        token = Token(
            scopes=[SCOPE_FULL_CONTROL]
        )

        async with Storage(token=token) as client:
              client.patch_metadata(...)

[TheKevJames]

Thanks for submitting this -- confirmed this is indeed a bug! I will post a PR to fix it shortly.