Cloud Run - Authenticated request doesn't work on custom (sub)domain

Question

I have a Cloud Run service running with authenticated requests turned on. I've created a domain mapping using Load Balancing to point a subdomain to the container.

I have been sending requests to the direct container url without any problems.

import os
from google.oauth2 import service_account
import google.auth.transport.requests
import google.oauth2.id_token
import requests

os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = 'service-account.json'
audience = "https://app-id.a.run.app"

request = google.auth.transport.requests.Request()
id_token = google.oauth2.id_token.fetch_id_token(request, audience)

requests.post(
    audience + "/job",
    headers={'Authorization': f"Bearer {id_token}"},
)

My service account has the Cloud Run Invoker permission and requests get authenticated fine.

The domain mapping is configured to the right Cloud Run service & region.

Why is it that when I change audience to my subdomain and send the request, I'm not authenticated?

Edit: The subdomain is correctly pointing at the container and requests are being logged.

Answer 1

By default, Cloud Run accepts only the default Cloud Run URL (*.run.app) as audience.

When you use a custom domain, or a Load Balancer, it does not make sense for the client to add a strange audience instead of the real domain name.

That's why, the Cloud Run custom audience feature has been released!