I'm currently using GKE Workload Identity to access Google Cloud Platform resources from within GKE. This works very well for Google Cloud Storage and other platform resources.
However, I encounter an issue with "insufficient authentication scopes" when I try to use GKE Workload Identity for accessing a Google Sheet.
When I generate a key file for the service account and use this in my code, I can manually set the scope to https://www.googleapis.com/auth/spreadsheets. It works just as expected and I can access the sheet. If I change the scope to https://www.googleapis.com/auth/cloud-platform, I get the same error as with GKE Workload Identity, "insufficient authentication scopes". This result shows that the service account works just fine, so the issue seems to be related to the scope assigned with the GKE Workload Identity.
With GKE Workload Identity I retrieve the credentials in Python with credentials = google.auth.default() [1]. The credentials object has the expected service account and the scope is set to https://www.googleapis.com/auth/cloud-platform. I can now access buckets and other cloud resources the service account has access to. However, Google Sheets seems to require the https://www.googleapis.com/auth/spreadsheets scope, but I have not found any way to set this. The workload identity (service account) and scope is retrieved from the GKE meta data server running in the GKE cluster. From what I can tell, the scope for GKE Workload identity seems to be "hard coded" to https://www.googleapis.com/auth/cloud-platform. I have found no information on whether this can be changed.
(I tried to add the spreadsheet scope to the GKE node oauth scopes. No effect. And from what I can understand from the docs it should be unrelated.)
(And of course I can just use a key file to make this work, but the whole point with GKE Workload identity is exactly to avoid all the hassle with generating and distributing keys safely)