I am trying to connect to my Cloud run backend from the vercel frontend (not client side).

I have setup the workload federated identity, and the connection appears to work correctly if I run the following:

    authClient = ExternalAccountClient.fromJSON({
      type: "external_account",
      audience: `//iam.googleapis/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_POOL_ID}/providers/${GCP_WORKLOAD_IDENTITY_POOL_PROVIDER_ID}`,
      subject_token_type: "urn:ietf:params:oauth:token-type:jwt",
      token_url: ";,
      service_account_impersonation_url: `/${GCP_SERVICE_ACCOUNT_EMAIL}:generateAccessToken`,
      subject_token_supplier: {
        // Use the Vercel OIDC token as the subject token.
        getSubjectToken: getVercelOidcToken,
      },
    });

This is fine, however what I really need is the GoogleAuth object, which I can use to get the ID token required to connect to the cloud run backend - something like this:

  const auth = new GoogleAuth({
    scopes: ";,
    projectId: GCP_PROJECT_ID,
  });
const idTokenclient = await auth.getIdTokenClient(backend_url);
const response = await idTokenclient.request({ url: backend_url });

What I don't understand is how to go from the ExternalAccountClient to the GoogleAuth client. Is there a way I can pass the accessToken or some sort of credentials to the GoogleAuth call? (Which I believe right now would just try to reuse the local auth credentials from the machine, which are not available on a serverless environment?)

---

Edit: Gentle ping :) Would really love an answer here (or some pointers!)