@@ -383,7 +383,10 @@ impl AuthStrategy for GoogleAdcStrategy {
383383 // authentication This ensures the user has run 'gcloud auth
384384 // application-default login'
385385 use google_cloud_auth:: credentials:: Builder ;
386+ const VERTEX_AI_SCOPES : & [ & str ] =
387+ & [ "https://www.googleapis.com/auth/cloud-platform" ] ;
386388 let credentials = Builder :: default ( )
389+ . with_scopes ( VERTEX_AI_SCOPES . iter ( ) . map ( |s| s. to_string ( ) ) )
387390 . build_access_token_credentials ( )
388391 . map_err ( |e| {
389392 AuthError :: CompletionFailed ( format ! (
@@ -397,7 +400,7 @@ impl AuthStrategy for GoogleAdcStrategy {
397400 . await
398401 . map_err ( |e| {
399402 AuthError :: CompletionFailed ( format ! (
400- "{e}. Please run 'gcloud auth application-default login' to set up credentials ."
403+ "Failed to obtain access token: {e}. Your ADC credentials may be expired — run 'gcloud auth application-default login' to re-authenticate ."
401404 ) )
402405 } ) ?;
403406
@@ -415,10 +418,13 @@ impl AuthStrategy for GoogleAdcStrategy {
415418 }
416419 }
417420
418- async fn refresh ( & self , _credential : & AuthCredential ) -> anyhow:: Result < AuthCredential > {
421+ async fn refresh ( & self , credential : & AuthCredential ) -> anyhow:: Result < AuthCredential > {
419422 // Google ADC handles token refresh automatically
420423 // We just need to get a fresh token using the Builder API
424+ // Vertex AI requires the cloud-platform scope
425+ const VERTEX_AI_SCOPES : & [ & str ] = & [ "https://www.googleapis.com/auth/cloud-platform" ] ;
421426 let credentials = Builder :: default ( )
427+ . with_scopes ( VERTEX_AI_SCOPES . iter ( ) . map ( |s| s. to_string ( ) ) )
422428 . build_access_token_credentials ( )
423429 . map_err ( |e| {
424430 AuthError :: RefreshFailed ( format ! (
@@ -427,13 +433,16 @@ impl AuthStrategy for GoogleAdcStrategy {
427433 } ) ?;
428434
429435 let access_token = credentials. access_token ( ) . await . map_err ( |e| {
430- AuthError :: RefreshFailed ( format ! ( "Failed to refresh Google access token: {e}" ) )
436+ AuthError :: RefreshFailed ( format ! (
437+ "Failed to refresh Google access token: {e}. Your ADC credentials may be expired — run 'gcloud auth application-default login' to re-authenticate."
438+ ) )
431439 } ) ?;
432440
433441 Ok ( AuthCredential :: new_google_adc (
434442 self . provider_id . clone ( ) ,
435443 ApiKey :: from ( access_token. token ) ,
436- ) )
444+ )
445+ . url_params ( credential. url_params . clone ( ) ) )
437446 }
438447}
439448
0 commit comments