def get_token(self): if self._expiry < time.time() + 60: # refresh 60s early resp = requests.get( "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token", headers="Metadata-Flavor": "Google" ) data = resp.json() self._token = data["access_token"] self._expiry = time.time() + data["expires_in"] return self._token
credentials, project_id = google.auth.default()
The fetch-url function inside the inventory script received the input. The script, being helpful, automatically decoded the URL string before making the request.
When an application or logging system records an action, it often sanitizes or URL-encodes special characters. Breaking down the specific parts of this signature helps explain what an attacker or an internal automated process is attempting to do: Introduction to service identity | Cloud Run def get_token(self): if self
But Sarah had seen this before. She pulled up a decoder.
: The directory listing all service accounts associated with the current instance. What Does This Endpoint Return?
Web applications often implement features that pull data from external links—such as fetching profile pictures, generating PDF reports from templates, or parsing RSS feeds. If the input parameter (like fetch-url or url ) is poorly sanitized, an attacker can swap a valid external URL with an internal cloud network endpoint. 2. The Internal Host ( metadata.google.internal ) Breaking down the specific parts of this signature
curl -H "Metadata-Flavor: Google" \ 'http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token'
If you see this in a debug log, it usually means your application is successfully looking for its identity.
Demystifying the GCP Metadata Endpoint: Security, Architecture, and SSRF Defenses What Does This Endpoint Return
In this example, the response indicates that the instance has a single service account associated with it, identified by its email address. The aliases field provides alternative names for the service account, while the scope field specifies the scope of the service account.
import requests
Mastering GCP Security: Fetching Access Tokens via metadata.google.internal
curl -H "Metadata-Flavor: Google" \ "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/" \ | tr '/' '\n'