So I have an interesting issue.

We have a node app deployed in GKE. The app should upload a file to Google Drive (shared drive).

We use the googleapis npm package to authenticate and generate a token with the scope 'https://www.googleapis.com/auth/drive'  (a bit excessive but we tried with this scope to rule out other issues with scope).

The Google Drive API is enabled for the GCP project and the node pool service account has been added as "content manager" to the drive folder.

We've been following https://cloud.google.com/nodejs/docs/reference/google-auth-library/latest 

If we create a key file (local dev machine) for the service account and use this for authentication we can access the folder in Google Drive without issues. 

  const auth = new GoogleAuth({
    scopes: 'https://www.googleapis.com/auth/cloud-platform'
  });
  const client = await auth.getClient();

If we instead rely on ADC (application default credentials) we get an error back saying "Invalid credentials"

Here we do

  const auth = new GoogleAuth();
  const client = await auth.getIdTokenClient(url);

And use client to make the request to the google drive API.

const res = await client.request({ url: ....

So this works with the client object returned by getClient but not with the object returned by getIdTokenClient 

With the object returned by getIdTokenClient we get a 401 with the message "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project."

We're about out of ideas at this point (other than generating a key file for the service account and using that when running in GKE instead of using ADC.

Could it be that the Google Drive API is not compatible with the object returned by getIdTokenClient???

For completeness, both ADC and key file use the same service account.