From 70ee4d2026416dd3feee9d628d225bda5f23978a Mon Sep 17 00:00:00 2001
From: Jake Wilkins <jake@epoch.blue>
Date: Sat, 16 Aug 2025 22:08:15 +0100
Subject: [PATCH 1/3] allow for instance scopes

---
 dask_cloudprovider/gcp/instances.py | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/dask_cloudprovider/gcp/instances.py b/dask_cloudprovider/gcp/instances.py
index 65e8185d..64d280dd 100644
--- a/dask_cloudprovider/gcp/instances.py
+++ b/dask_cloudprovider/gcp/instances.py
@@ -66,6 +66,7 @@ def __init__(
         preemptible=False,
         instance_labels=None,
         service_account=None,
+        instance_scopes=None,
         **kwargs,
     ):
         super().__init__(**kwargs)
@@ -105,6 +106,14 @@ def __init__(
 
         self.general_zone = "-".join(self.zone.split("-")[:2])  # us-east1-c -> us-east1
         self.service_account = service_account or self.config.get("service_account")
+        
+        # Default scopes for instance service account
+        default_scopes = [
+            "https://www.googleapis.com/auth/devstorage.read_write",
+            "https://www.googleapis.com/auth/logging.write",
+            "https://www.googleapis.com/auth/monitoring.write",
+        ]
+        self.instance_scopes = instance_scopes or self.config.get("instance_scopes", default_scopes)
 
     def create_gcp_config(self):
         subnetwork = f"projects/{self.network_projectid}/regions/{self.general_zone}/subnetworks/{self.network}"
@@ -144,11 +153,7 @@ def create_gcp_config(self):
             "serviceAccounts": [
                 {
                     "email": self.service_account,
-                    "scopes": [
-                        "https://www.googleapis.com/auth/devstorage.read_write",
-                        "https://www.googleapis.com/auth/logging.write",
-                        "https://www.googleapis.com/auth/monitoring.write",
-                    ],
+                    "scopes": self.instance_scopes,
                 }
             ],
             # Metadata is readable from the instance and allows you to
@@ -516,6 +521,11 @@ class GCPCluster(VMCluster):
     service_account: str
         Service account that all VMs will run under.
         Defaults to the default Compute Engine service account for your GCP project.
+    instance_scopes: list (optional)
+        List of GCP OAuth scopes to assign to the service account on instances.
+        Defaults to ``["https://www.googleapis.com/auth/devstorage.read_write", 
+        "https://www.googleapis.com/auth/logging.write", 
+        "https://www.googleapis.com/auth/monitoring.write"]``.
     service_account_credentials: Optional[Dict[str, Any]]
         Service account credentials to create the compute engine Vms
 
@@ -617,6 +627,7 @@ def __init__(
         debug=False,
         instance_labels=None,
         service_account=None,
+        instance_scopes=None,
         service_account_credentials: Optional[Dict[str, Any]] = None,
         **kwargs,
     ):
@@ -717,6 +728,7 @@ def __init__(
             ),
             "instance_labels": instance_labels or self.config.get("instance_labels"),
             "service_account": service_account or self.config.get("service_account"),
+            "instance_scopes": instance_scopes or self.config.get("instance_scopes"),
         }
         self.scheduler_options = {**self.options}
         self.scheduler_options["machine_type"] = self.scheduler_machine_type

From 12f4d5e47ab35f2f538b7cdabd73024df556b7cc Mon Sep 17 00:00:00 2001
From: Jake Wilkins <jake@epoch.blue>
Date: Wed, 1 Oct 2025 17:02:55 +0100
Subject: [PATCH 2/3] Fixing pre-commit errors for instance scopes

---
 dask_cloudprovider/gcp/instances.py | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/dask_cloudprovider/gcp/instances.py b/dask_cloudprovider/gcp/instances.py
index 64d280dd..a39a9bd1 100644
--- a/dask_cloudprovider/gcp/instances.py
+++ b/dask_cloudprovider/gcp/instances.py
@@ -106,14 +106,16 @@ def __init__(
 
         self.general_zone = "-".join(self.zone.split("-")[:2])  # us-east1-c -> us-east1
         self.service_account = service_account or self.config.get("service_account")
-        
+
         # Default scopes for instance service account
         default_scopes = [
             "https://www.googleapis.com/auth/devstorage.read_write",
             "https://www.googleapis.com/auth/logging.write",
             "https://www.googleapis.com/auth/monitoring.write",
         ]
-        self.instance_scopes = instance_scopes or self.config.get("instance_scopes", default_scopes)
+        self.instance_scopes = instance_scopes or self.config.get(
+            "instance_scopes", default_scopes
+        )
 
     def create_gcp_config(self):
         subnetwork = f"projects/{self.network_projectid}/regions/{self.general_zone}/subnetworks/{self.network}"
@@ -523,8 +525,8 @@ class GCPCluster(VMCluster):
         Defaults to the default Compute Engine service account for your GCP project.
     instance_scopes: list (optional)
         List of GCP OAuth scopes to assign to the service account on instances.
-        Defaults to ``["https://www.googleapis.com/auth/devstorage.read_write", 
-        "https://www.googleapis.com/auth/logging.write", 
+        Defaults to ``["https://www.googleapis.com/auth/devstorage.read_write",
+        "https://www.googleapis.com/auth/logging.write",
         "https://www.googleapis.com/auth/monitoring.write"]``.
     service_account_credentials: Optional[Dict[str, Any]]
         Service account credentials to create the compute engine Vms

From e2532d67f5afddd02d68ed164774e281569584f8 Mon Sep 17 00:00:00 2001
From: Jake Wilkins <jake@epoch.blue>
Date: Thu, 2 Oct 2025 14:38:12 +0100
Subject: [PATCH 3/3] Moving default values into a list within the cloud
 provider yaml config

---
 dask_cloudprovider/cloudprovider.yaml |  4 ++++
 dask_cloudprovider/gcp/instances.py   | 11 +----------
 2 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/dask_cloudprovider/cloudprovider.yaml b/dask_cloudprovider/cloudprovider.yaml
index 2a20106d..b8448af6 100755
--- a/dask_cloudprovider/cloudprovider.yaml
+++ b/dask_cloudprovider/cloudprovider.yaml
@@ -118,6 +118,10 @@ cloudprovider:
     instance_labels:
       container_vm: "dask-cloudprovider"
     service_account: "default"
+    instance_scopes: # OAuth2 scopes to assign to the service account on instances
+      - "https://www.googleapis.com/auth/devstorage.read_write"
+      - "https://www.googleapis.com/auth/logging.write"
+      - "https://www.googleapis.com/auth/monitoring.write"
 
   hetzner:
     token: null # API token for interacting with the Hetzner cloud API
diff --git a/dask_cloudprovider/gcp/instances.py b/dask_cloudprovider/gcp/instances.py
index a39a9bd1..93ed5613 100644
--- a/dask_cloudprovider/gcp/instances.py
+++ b/dask_cloudprovider/gcp/instances.py
@@ -106,16 +106,7 @@ def __init__(
 
         self.general_zone = "-".join(self.zone.split("-")[:2])  # us-east1-c -> us-east1
         self.service_account = service_account or self.config.get("service_account")
-
-        # Default scopes for instance service account
-        default_scopes = [
-            "https://www.googleapis.com/auth/devstorage.read_write",
-            "https://www.googleapis.com/auth/logging.write",
-            "https://www.googleapis.com/auth/monitoring.write",
-        ]
-        self.instance_scopes = instance_scopes or self.config.get(
-            "instance_scopes", default_scopes
-        )
+        self.instance_scopes = instance_scopes or self.config.get("instance_scopes")
 
     def create_gcp_config(self):
         subnetwork = f"projects/{self.network_projectid}/regions/{self.general_zone}/subnetworks/{self.network}"