Add scopes to service account auth in CES Toolsets (#16580)

Author: habh-11

mmv1/products/ces/Toolset.yaml

@@ -251,6 +251,13 @@ properties:
                   CES service agent
                   `service-@gcp-sa-ces.iam.gserviceaccount.com`.
                 required: true
+              - name: scopes
+                type: Array
+                description: |-
+                  The OAuth scopes to grant. If not specified, the default scope
+                  `https://www.googleapis.com/auth/cloud-platform` is used.
+                item_type:
+                  type: String
           - name: serviceAgentIdTokenAuthConfig
             type: NestedObject
             description: |-
@@ -434,6 +441,13 @@ properties:
                   CES service agent
                   `service-@gcp-sa-ces.iam.gserviceaccount.com`.
                 required: true
+              - name: scopes
+                type: Array
+                description: |-
+                  The OAuth scopes to grant. If not specified, the default scope
+                  `https://www.googleapis.com/auth/cloud-platform` is used.
+                item_type:
+                  type: String
           - name: serviceAgentIdTokenAuthConfig
             type: NestedObject
             description: |-

mmv1/templates/terraform/examples/ces_toolset_mcp_service_account_auth_config.tf.tmpl

@@ -35,6 +35,7 @@ resource "google_ces_toolset" "ces_toolset_mcp_service_account_auth_config" {
     api_authentication {
         service_account_auth_config {
             service_account = "{{index $.TestEnvVars "service_account"}}"
+            scopes = ["scope1"]
         }
     }
   }

mmv1/templates/terraform/examples/ces_toolset_openapi_service_account_auth_config.tf.tmpl

@@ -44,7 +44,8 @@ resource "google_ces_toolset" "ces_toolset_openapi_service_account_auth_config"
     }
     api_authentication {
         service_account_auth_config {
-            service_account = "testaccount@gmail.com"
+            service_account = "{{index $.TestEnvVars "service_account"}}"
+            scopes = ["scope1"]
         }
     }
   }

mmv1/third_party/terraform/services/ces/ces_toolset_test.go

@@ -49,6 +49,10 @@ func TestAccCESToolset_cesToolsetOpenapiServiceAccountAuthConfigExample_update(t
 
 func testAccCESToolset_cesToolsetOpenapiServiceAccountAuthConfigExample_full(context map[string]interface{}) string {
 	return acctest.Nprintf(`
+resource "google_service_account" "ces_test_service_account" {
+  account_id = "tf-test-sa-ces-%{random_suffix}"
+}
+
 resource "google_ces_app" "ces_app_for_toolset" {
   app_id = "tf-test-app-id%{random_suffix}"
   location = "us"
@@ -95,7 +99,8 @@ resource "google_ces_toolset" "ces_toolset_openapi_service_account_auth_config"
     }
     api_authentication {
         service_account_auth_config {
-            service_account = "testaccount@gmail.com"
+            service_account = "${google_service_account.ces_test_service_account.email}"
+            scopes = ["https://www.googleapis.com/auth/cloud-platform"]
         }
     }
   }
@@ -105,6 +110,10 @@ resource "google_ces_toolset" "ces_toolset_openapi_service_account_auth_config"
 
 func testAccCESToolset_cesToolsetOpenapiServiceAccountAuthConfigExample_update(context map[string]interface{}) string {
 	return acctest.Nprintf(`
+resource "google_service_account" "ces_test_service_account" {
+  account_id = "tf-test-sa-ces-%{random_suffix}"
+}
+
 resource "google_ces_app" "ces_app_for_toolset" {
   app_id = "tf-test-app-id%{random_suffix}"
   location = "us"
@@ -151,7 +160,8 @@ resource "google_ces_toolset" "ces_toolset_openapi_service_account_auth_config"
     }
     api_authentication {
         service_account_auth_config {
-            service_account = "testaccountupdated@gmail.com"
+            service_account = "${google_service_account.ces_test_service_account.email}"
+            scopes = ["https://www.googleapis.com/auth/cloud-platform"]
         }
     }
   }
@@ -814,6 +824,10 @@ func TestAccCESToolset_cesToolsetMcpServiceAccountAuthConfigExample_update(t *te
 
 func testAccCESToolset_cesToolsetMcpServiceAccountAuthConfigExample_full(context map[string]interface{}) string {
 	return acctest.Nprintf(`
+resource "google_service_account" "ces_test_service_account" {
+  account_id = "tf-test-sa-ces-%{random_suffix}"
+}
+
 resource "google_ces_app" "ces_app_for_toolset" {
   app_id = "tf-test-app-id%{random_suffix}"
   location = "us"
@@ -847,7 +861,8 @@ resource "google_ces_toolset" "ces_toolset_mcp_service_account_auth_config" {
     }
     api_authentication {
         service_account_auth_config {
-            service_account = "testaccount@gmail.com"
+            service_account = "${google_service_account.ces_test_service_account.email}"
+            scopes = ["https://www.googleapis.com/auth/cloud-platform"]
         }
     }
   }
@@ -857,6 +872,10 @@ resource "google_ces_toolset" "ces_toolset_mcp_service_account_auth_config" {
 
 func testAccCESToolset_cesToolsetMcpServiceAccountAuthConfigExample_update(context map[string]interface{}) string {
 	return acctest.Nprintf(`
+resource "google_service_account" "ces_test_service_account" {
+  account_id = "tf-test-sa-ces-%{random_suffix}"
+}
+
 resource "google_ces_app" "ces_app_for_toolset" {
   app_id = "tf-test-app-id%{random_suffix}"
   location = "us"
@@ -890,7 +909,8 @@ resource "google_ces_toolset" "ces_toolset_mcp_service_account_auth_config" {
     }
     api_authentication {
         service_account_auth_config {
-            service_account = "testaccountupdated@gmail.com"
+            service_account = "${google_service_account.ces_test_service_account.email}"
+            scopes = ["https://www.googleapis.com/auth/cloud-platform"]
         }
     }
   }