metadata.google.internal/service-accountsIf you have ever peeked under the hood of a Google Compute Engine (GCE) virtual machine, you might have stumbled upon a curious HTTP request: http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/. It looks cryptic, but it is one of the most powerful and security-critical endpoints in Google Cloud.
To retrieve information about service accounts, you perform a GET request. The most critical requirement is the inclusion of the Metadata-Flavor: Google header, which prevents Server-Side Request Forgery (SSRF) attacks. Common Endpoints: List Service Accounts:http://google.internal Get Access Token for Default Account:http://google.internal
is a localized service available only to your VM instances. It stores details such as the instance name, ID, and most critically, service account information and security tokens. Stack Overflow 1. Purpose of the Query The specific endpoint Behind the URL: Understanding metadata
You can then append any of these account names to retrieve their access tokens, identity tokens, SSH keys, or email details.
Important notes:
The Moral of the String
If you see this in a debug log, it usually means your application is successfully looking for its identity. The most critical requirement is the inclusion of
This script had been written two years ago by a developer named David. David was pragmatic, perhaps to a fault. He needed the script to pull configuration data from a remote server. To make the script flexible, he added a feature allowing it to accept a URL as a command-line argument. It looked something like this: