You will find sub-paths like:
The fetch URL http://metadata.google.internal/computeMetadata/v1/instance/service-accounts-/ is a crucial component of the Google Compute Engine metadata service. By understanding its purpose and how to interact with it, you can unlock the full potential of service accounts and metadata in your GCP applications. Remember to always consider security implications when working with sensitive credentials and metadata.
: You must include the HTTP header Metadata-Flavor: Google in your request. If this header is missing, the metadata server will reject the request to prevent Server-Side Request Forgery (SSRF) attacks.
: Accessing this path returns a list of available service account aliases (e.g., default/ ). You will find sub-paths like: The fetch URL
– Enable Cloud Audit Logs for service account token generation.
.../scopes : Lists the access scopes granted to the service account. 2. Security Feature: SSRF Prevention
Google requires a specific HTTP header to protect against Server-Side Request Forgery (SSRF) attacks. If a request hits this URL without the header, the server rejects it. : You must include the HTTP header Metadata-Flavor:
In this example, the response indicates that the instance has a default service account with specific scopes.
The URL metadata.google.internal is a special internal DNS name accessible only from within a GCP Compute Engine instance. It is not reachable from the public internet. When a developer needs a script to perform an action (like uploading a file to a bucket), the script queries this local URL to get an OAuth 2.0 access token. This eliminates the need to hardcode sensitive credentials directly into the application code. 2. The Vulnerability: Server-Side Request Forgery (SSRF)
To "prepare a feature" around this functionality, you are likely looking to either implement a legitimate data-fetching mechanism for a VM or build a security-focused feature to detect or prevent SSRF attacks. 1. Functional Feature: Service Account Metadata Fetcher – Enable Cloud Audit Logs for service account
You can then fetch a token for app2-sa like this:
Related search suggestions (for follow-up research): provide suggestions for search terms: functions.RelatedSearchTerms("suggestions":["suggestion":"Google Cloud metadata server access token example","score":0.9,"suggestion":"Compute Engine metadata service security best practices","score":0.85,"suggestion":"how to use service account tokens on GCE instance","score":0.8])
:
Output: