If I had a security profile with all the permissions, then all I needed to do was to enter the client_id and client_secret in rclone's configuration steps. Instead, I got an error back in my web browser about requesting an invalid scope. I didn't want to go through the trouble of changing rclone's source code to request some other permission scope. I disabled my Amazon LWA security profile's URL redirect so that I could see rclone's request URL in my web browser. You'll see that rclone tries to ask for read all and write permissions. I just manually change the URL to try to request different combinations of permissions (e.g. write , read all, read other, read document, read video, and read image) with my web browser until I got a successful response from Amazon LWA. I re-enable the security profile's URL redirect to point to where rclone's listening on localhost:port and use the web browser to re-submit the successful request. This time rclone gets the new security token in the response and we're done.