Duo Workflow executor fails with 403 on /api/v4/version - PreConfiguredWorkflowTokenService insufficient_scope

2026-03-03T09:11:01:488 [debug]: [PreConfiguredWorkflowTokenService] Building token for workflow "3033367", type: "developer/v1"

2026-03-03T09:11:01:488 [debug]: [CredentialProvider] Using static token from configuration, skipping glab credential helper

2026-03-03T09:11:01:489 [debug]: fetch: request to https://gitlab.com/api/v4/version returned HTTP 403 after 1802 ms

2026-03-03T09:11:01:494 [error]: Error: Fetching version from https://gitlab.com/api/v4/version failed. The request requires higher privileges than provided by the access token.

    at G91 (file:///usr/lib/node_modules/@gitlab/lib_core/src/fetch/handle_fetch_error.ts:10:11)

    at processTicksAndRejections (node:internal/process/task_queues:95:5)

    at wc.fetchFromApi (file:///usr/lib/node_modules/@gitlab/lib_core/src/gitlab_api/simple_api_client.ts:88:5)

    at ry.#J (file:///usr/lib/node_modules/@gitlab/lib_core/src/feature_flags/instance_feature_flags.ts:229:27)

    at ry.#G (file:///usr/lib/node_modules/@gitlab/lib_core/src/feature_flags/instance_feature_flags.ts:247:19)

    at Object.\<anonymous\> (file:///usr/lib/node_modules/@gitlab/lib_core/src/feature_flags/instance_feature_flags.ts:98:7)

- Error details:

  - REST Request:

    - Method: GET

    - Path: /api/v4/version

  - Response:

    - Status: 403

    - Headers: {"cache-control":"no-cache","cf-cache-status":"MISS","cf-ray":"9d6782e99f09a9db-ATL","connection":"close","content-encoding":"gzip","content-security-policy":"default-src 'none'","content-type":"application/json","date":"Tue, 03 Mar 2026 09:11:01 GMT","gitlab-lb":"haproxy-main-60-lb-gprd","gitlab-sv":"api-gke-us-east1-d","nel":"{\\"max_age\\": 0}","referrer-policy":"strict-origin-when-cross-origin","server":"cloudflare","set-cookie":"\__cf_bm=M31xYpHnCwpUeQ92YLKEqfRnPy4u240aoUpMVOD5eLY-1772529061-1.0.1.1-86VRGE.twA1TEsQgGBm1rfP4BWvYJEzUmEWFsXrMeZlMNDzbQL5AoT9PjoLvs8XAD182frC7BthKQBgdrY_TNvqC1w0lWPB0A1r7rIk6KWE; path=/; expires=Tue, 03-Mar-26 09:41:01 GMT; domain=.gitlab.com; HttpOnly; Secure; SameSite=None, \_cfuvid=kh5T2F7tT_tbApkVtV_wEz4d3XIxnOi.ip5Y8gK3OFo-1772529061472-0.0.1.1-604800000; path=/; domain=.gitlab.com; HttpOnly; Secure; SameSite=None","strict-transport-security":"max-age=31536000","transfer-encoding":"chunked","vary":"Origin, Accept-Encoding","x-content-type-options":"nosniff","x-gitlab-meta":"{\\"correlation_id\\":\\"9d6782e9a56da9db-ATL\\",\\"version\\":\\"1\\"}","x-request-id":"9d6782e9a56da9db-ATL","x-runtime":"0.064840"}

    - Response body: {"error":"insufficient_scope","error_description":"The request requires higher privileges than provided by the access token.","scope":"read_user ai_features api read_api"}