So the compute engine SSH example uses --scopes [https://www.googleapis.com/auth/cloud-platform](https://www.googleapis.com/auth/cloud-platform) for the VM service account, which feels like it’s overgranting a lot of permissions. Am I missing something here?
The best practice is to set the full cloud-platform access scope on the instance, then control the service account's access using IAM roles. from this link
From what i understood yes cloud-platform access scope is overgranting but you can narrow down the permissions using IAM roles
