I was looking for a Google Cloud API to fetch resources across all regions and zones in a given project. I am aware of individual APIs (e.g. compute https://cloud.google.com/compute/docs/reference/rest/v1) , but I need a single GCP-wide API that will allow me to get list a of all active resources (e.g. instances, GKE clusters, buckets, VPCs etc).

The Cloud Asset inventory API seems to fit the bill. However, it turns out that the Cloud Asset API requires the scope "https://www.googleapis.com/auth/cloud-platform" which is "See, edit, configure, and delete your Google Cloud data and see the email address for your Google Account.".

I am not sure why the read only version of this scope "https://www.googleapis.com/auth/cloud-platform.read-only" does not work. My use case is to get permissions from my users to view their GCP projects' resources, and I cannot ask for a scope which would allow my app to theoretically delete their GCP data.

Source: https://developers.google.com/identity/protocols/oauth2/scopes#cloudasset

Are there any other options or am I missing something?