Fetch-url-http-3a-2f-2fmetadata.google.internal-2fcomputemetadata-2fv1-2finstance-2fservice Accounts-2f -

Think of the metadata server as a built-in identity provider and information desk for your VM. It's a service running at a special, non-routable IP address ( 169.254.169.254 ) that every Google Compute Engine, App Engine, Cloud Run, and GKE instance can access without needing any external credentials.

http://google.internal endpoint allows Google Cloud resources to securely retrieve identity and authorization information without embedding secrets. To prevent SSRF attacks, requests must include the Metadata-Flavor: Google

http://google.internal[AUDIENCE_URL] 3. Practical Usage Examples Think of the metadata server as a built-in

Suppose your VM needs to impersonate a different service account (e.g., to access a project that the VM’s own account doesn’t have permission for). You can use the metadata server to get a token that can be exchanged for a token of the target account using the IAP or IAM signJWT endpoints.

Article structure:

The metadata server is powerful but must be handled with care. Here are several non-negotiable best practices:

403 Forbidden

Without this header, the server returns a 403 Forbidden response. This protects against accidental exposure or CSRF‑style attacks from unprivileged processes.

Sometimes you have multiple service accounts attached to the same instance. For example: To prevent SSRF attacks, requests must include the

The metadata server is a fundamental component of Google Cloud's security and identity infrastructure. Understanding the endpoints, particularly service-accounts/ , is essential for building secure, well-architected applications that run on Google Cloud.