Gsheets API with GCE default service account

Question

I've created a new service account on my GCE instance, and attached it to it (it is the default). This service account email is shared with my spreadsheet inquestion.

The sheets and drive APIs have been enabled in my project.

if I attempt to use gspread and use default auth credentials, I get the following exception

gspread.exceptions.APIError: {'errors': [{'domain': 'global', 'reason': 'insufficientPermissions', 'message': 'Insufficient Permission: Request had insufficient authentication scopes.'}], 'code': 403, 'message': 'Insufficient Permission: Request had insufficient authentication scopes.'}

The code

import gspread
import google.auth

scopes = [
    'https://www.googleapis.com/auth/spreadsheets',
    'https://www.googleapis.com/auth/drive'
]

credentials, project = google.auth.default(scopes=scopes)
gc = gspread.authorize(credentials)
wks = gc.open("test sheet)

Will cause the above APIError

However, if I download the JSON key for the service account, and load it accordingly

client = gspread.service_account(filename="SERVICE_ACCOUNT_KEY.json")
s = client.open("test sheet")

This works.

My end goal is to use the service account attached to the resource to access this specific spreadhseet that the service account has been shared with. I do not want to save any json keys or expose keys in code, or manually specify service account email names in code.

I am at a loss as to why the service accounts JSON key works, but asking for the service account through default, does not.