Redacting sensitive information from automatically generated logs from Google Cloud Run

In a service running on google cloud run, I have an endpoint that essentially accepts an access token in the query string and returns some user details of the user that is corresponding to that access token.

Something like BASE_URL/auth?access_token=abc123

The issue with this is that cloud run writes logs automatically that contains information about the request, including the full url including the query string. This then means that the access token gets written to the logs, which is not exactly what I want.

From what I gather from here: https://cloud.google.com/run/docs/logging#exclude-logs, it doesnt seem possible to turn off these logs except via some exclusion filter. What I'm trying to understand is, can I use this to actually filter the logs that cloud run writes to cloud logging? If so how would that sink look?

I'm also very open to any other alternative that would simply redact the sensitive information. In case it is of any relevance, the access token is a JWT (not issued by Google).

Compiling all information in the comments as a community wiki for everyone's visibility.

It is not possible to turn off these logs in Cloud Logging. What you can do is use log exclusion to exclude the logs from the default bucket and add them in a dedicated log bucket. After that, you can manage who can access the logs. You can also check the answer to this post as it shows details on how to exclude logs.

Another thing to check is that sensitive information in HTTP request URLs is a security issue. Putting sensitive information in a URL is considered bad practice.