GenericClient.forAuth ignores the project name set in the Auth instance

[andreavs]

Rather it uses the project name returned by the login call. This works fine for api key authorization, but when using a bearer token, it sets the project to root, which can be confusing.

[ngerstle-cognite]

The project the principal making the request belongs to isn't necessarily the project the request/requests should be made against.
As you've discovered, internal service principals (using a token from vault) have an identity in project 0, the root project, and have access to make requests in all other projects in the cluster (usually).