I am trying to connect to a service running using Cloud Run (managed). The instance is not public and only in development. Hence I am authenticating using id tokens to authenticate the connection as given in this link.
I see that here they use identity token instead of access token to make the request. Why is that ? Also is there a way I could use access token instead ?
Access tokens are meant for Google’s own APIs (*.googleapis.com). For example, a Google identity’s (service account, user account) access token allows them to make calls to Google’s API.
However, "identity token" is a proof that you hold that account. These are still tokens, but they’re signed by Google to prove. You can’t use these to make API calls to Google.
Imagine this scenario: Someone has hacked the private service you are calling. But that Cloud Run service has no permissions to do anything. If you sent your access_token, they could intercept and extract that to make API calls with the permission of "caller" service. But if you send your identity_token, it's not usable for anything other than proving "caller" is who it claims it is.
If you have trouble using identity tokens, please feel free to open another question.