jonathan-johnston
commented
11 months ago @TheKevJames I believe that was actually a different use case, using the user auth method with SA impersonation. I reproduced the failure in staging with the metadata server ID token fetch, so at least it should fail consistently.
Summary
The official documentation is wrong on this, we need to fetch the ID token from the GCE metadata server using the typical audience value instead of the URI as stated here: https://cloud.google.com/docs/authentication/get-id-token#metadata-server