Remove redundant default scopes (#5343) (#10374)

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/5343.txt

@@ -0,0 +1,3 @@
+```release-note:breaking-change
+provider: removed redundant default scopes. The provider's default scopes when authenticating with credentials are now exclusively "https://www.googleapis.com/auth/cloud-platform" and "https://www.googleapis.com/auth/userinfo.email".
+```

google/config.go

@@ -341,11 +341,7 @@ var DefaultBasePaths = map[string]string{
 }
 
 var DefaultClientScopes = []string{
-	"https://www.googleapis.com/auth/compute",
 	"https://www.googleapis.com/auth/cloud-platform",
-	"https://www.googleapis.com/auth/cloud-identity",
-	"https://www.googleapis.com/auth/ndev.clouddns.readwrite",
-	"https://www.googleapis.com/auth/devstorage.full_control",
 	"https://www.googleapis.com/auth/userinfo.email",
 }
 

website/docs/guides/provider_reference.html.markdown

@@ -265,10 +265,7 @@ an access token using the service account key specified in `credentials`.
 
     By default, the following scopes are configured:
 
-    * https://www.googleapis.com/auth/compute
     * https://www.googleapis.com/auth/cloud-platform
-    * https://www.googleapis.com/auth/ndev.clouddns.readwrite
-    * https://www.googleapis.com/auth/devstorage.full_control
     * https://www.googleapis.com/auth/userinfo.email
 
 * `request_reason` - (Optional) Send a Request Reason [System Parameter](https://cloud.google.com/apis/docs/system-parameters) for each API call made by the provider.  The `X-Goog-Request-Reason` header value is used to provide a user-supplied justification into GCP AuditLogs. Alternatively, this can be specified using the `CLOUDSDK_CORE_REQUEST_REASON` environment variable.

website/docs/guides/version_4_upgrade.html.markdown

@@ -12,6 +12,7 @@ description: |-
   - [I accidentally upgraded to 4.0.0, how do I downgrade to `3.X`?](#i-accidentally-upgraded-to-400-how-do-i-downgrade-to-3x)
   - [Provider Version Configuration](#provider-version-configuration)
   - [Provider](#provider)
+    - [Redundant default scopes are removed](#redundant-default-scopes-are-removed)
     - [Runtime Configurator (`runtimeconfig`) resources have been removed from the GA provider](#runtime-configurator-runtimeconfig-resources-have-been-removed-from-the-ga-provider)
   - [Datasource: `google_product_resource`](#datasource-google_product_resource)
     - [Datasource-level change example](#datasource-level-change-example)
@@ -154,6 +155,26 @@ terraform {
 
 ## Provider
 
+### Redundant default scopes are removed
+
+Several default scopes are removed from the provider:
+
+* "https://www.googleapis.com/auth/compute"
+* "https://www.googleapis.com/auth/ndev.clouddns.readwrite"
+* "https://www.googleapis.com/auth/devstorage.full_control"
+* "https://www.googleapis.com/auth/cloud-identity"
+
+They are redundant with the "https://www.googleapis.com/auth/cloud-platform"
+scope per [Access scopes](https://cloud.google.com/compute/docs/access/service-accounts#accesscopesiam).
+After this change the following scopes are enabled, in line with `gcloud`'s
+[list of scopes](https://cloud.google.com/sdk/gcloud/reference/auth/application-default/login):
+
+* "https://www.googleapis.com/auth/cloud-platform"
+* "https://www.googleapis.com/auth/userinfo.email"
+
+This change is believed to have no user impact. If you find that Terraform
+behaves incorrectly as a result of this change, please report a [bug](https://github.com/hashicorp/terraform-provider-google/issues/new?assignees=&labels=bug&template=bug.md).
+
 ### Runtime Configurator (`runtimeconfig`) resources have been removed from the GA provider
 
 Earlier versions of the provider accidentally included the Runtime Configurator