Hi,

Today we have website components distributed across the world using a CDN with edge services that request data from our GCP backend. Currently, authentication is done using Cloud IAM by setting principals on our API services (in Cloud Run) for approved service accounts. Inbound traffic (to GCP) is configured using a Global HTTP(S) Loadbalancer. And this works (sort off, see below).

But every hour the tokens need to be refreshed. When this happens we see small "bumps" of 401's. Our best guess is that because of the distributed nature of the CDN, the refreshed/new token isn't immediately available in all POPs at refreshtime and thus some requests get 401's.

We've experimented using 2 rotating service accounts, which solves our problem. But we'd ideally want something less work around-y. 

Any guidance?