Since serviceAccountTokenCreator enables service account impersonation and token minting, I’m curious about more least-privilege alternatives, such as -
Using the Custom Cloud Build service account identity directly
Relying on Cloud Run IAM invoker bindings (in case of cloud run invocation from cloud buuld
Avoiding explicit token creation unless absolutely required
When is iam.serviceAccountTokenCreator truly required?
I am curious why this doesn’t work from Cloud Build. With the same setup, Vertex AI Pipelines works fine even though the pipeline’s running service account does not have the iam.serviceAccountTokenCreator role.
it’s probably about the how under the code implementation works for these two different services. 
After further investigation with Google Support, we found that Cloud Build has a different authentication model compared to other GCP runtimes (e.g., Vertex AI Pipelines).
For security reasons, Cloud Build does not provide direct access to the metadata server, to successfully generate an ID token, the custom Cloud Build service account must have the required permission:
iam.serviceAccounts.getOpenIdToken