I have trouble getting working ADC on Cloud Run with Google APIs like Directory or Gmail API which need to have target user set as createDelegated(targetUser)

on credential. When I use GOOGLE_APPLICATION_CREDENTIALS pointing to existing json file with service account id and key, it is working with no problems, but when i drop this ENV property and let the GoogleCredentials.getApplicationDefault() obtain credential automatically from GCE Metadata server these impersonificated requests are failing with 403 "Not Authorized to access this resource/api" error.

Code is the same for both cases

GoogleCredentials.getApplicationDefault().createScoped(scopes).createDelegated(targetUser);

then using google libraries from Directory or Gmail which by debugging call refreshAccessToken on ServiceAccountCredentials or ComputeEngineCredentials object - both resulting in access token belonging to the same azd/aud and scopes, only difference is access_type field which is offline for SAC and online for GEC.

Other APIs (without impersonification) like Marketplace seems to be working in both Service/Compute credentials, so there has to be some issue or other configuration/programming needed for the impersonification usage which I am unable to recover and need any asistance.