The GCP service account is configured with an overly permissive OAuth scope, granting cloud-platform access instead of the minimal scope required for the workload. This violates the principle of least privilege by allowing the service account to request broad access to GCP APIs when only limited Compute Engine read-only access is needed. If the workload, VM, or service account token is compromised, an attacker may be able to interact with a wider set of cloud resources than intended, depending on the IAM permissions attached to the service account. This increases the potential blast radius of a compromise and weakens access control boundaries.

Remediation

Restrict the service account OAuth scope to the minimum required for the application, such as compute.readonly, and ensure the service account is only assigned narrowly scoped IAM roles. Review both OAuth scopes and IAM permissions together, since effective access depends on both. Avoid using broad scopes such as cloud-platform unless there is a documented and justified operational requirement.