I'm trying to setup a resource that triggers a Cloud Run Service.
It should be able to preform a POST request to the base url with a JSON payload.
The resource works fine if I set the authentication to Allow unauthenticated invocations, but I want to be the only to that's able to access it.
where the connected service account has the appropriate permissions.
Is this misguided?
As far as I know, Cloud Run expects an identity token, which can be generated using the service account key. Is that what's being used to authenticate a request in such a case? I would assume not, since I keep getting the error: Your client does not have permission to get URL / from this server.
Am I completely missing the mark here? Is there any way to do this?
Again, OAuth 2.0 doesn't work, since Cloud Run expects an identity token (gcloud auth print-identity-token), not an access token.
Here's what I did to try to reproduce what you're seeing:
I just spun up a test GCP Cloud Run Service
Created a service account
Added that service account to be able to invoke the Cloud Run Service
Created a key for that service account
Set the REST API authentication in Retool similarly to how you did in your screenshot... with one difference: I did not specify any scope in the Service Account OAuth Scopes field whereas you provided one.
Can you try clearing out the scopes, saving the resource, and retrying your query?
Here's a GIF showing how removing the scope worked for me. Were you seeing the exact same error message?
I did find some documentation online about how scopes are not necessary for Cloud Functions so perhaps Cloud Runs invoked via HTTP act similarly. This StackOverflow answer seems to support that hypothesis.
I think you're on the right track!
Thanks a lot!
Woohoo 
glad you're all set.