fetch-url-http-3A-2F-2Fmetadata.google.internal-2FcomputeMetadata-2Fv1-2Finstance-2Fservice accounts-2F
fetch-url-http-3A-2F-2Fmetadata.google.internal-2FcomputeMetadata-2Fv1-2Finstance-2Fservice accounts-2F

Fetch-url-http-3a-2f-2fmetadata.google.internal-2fcomputemetadata-2fv1-2finstance-2fservice Accounts-2f

You don't need to generate, store, or rotate service account JSON keys Dataminded, 2021 .

You can also replace default with a specific service account's email address to get similar information for that specific account.

The metadata server supports HTTP, not HTTPS. This is safe because it is a non-routable, link-local address.

import requests def get_service_account_token(): url = "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" headers = "Metadata-Flavor": "Google" try: response = requests.get(url, headers=headers) response.raise_for_status() return response.json()['access_token'] except Exception as e: return f"Error fetching metadata: e" Use code with caution. Copied to clipboard You don't need to generate, store, or rotate

(assuming default service account only):

This response indicates that the instance has a single service account associated with it, along with its email address, aliases, and the scopes it's authorized for.

– Enable Cloud Audit Logs for service account token generation. This is safe because it is a non-routable,

It looked like gibberish at first: fetch-url-http-3A-2F...

– Never store long-lived service account keys on the instance. Rely on the metadata server’s short-lived tokens.

Inside the Cloud Perimeter: Exploiting and Defending Against Google Cloud Instance Metadata SSRF – Enable Cloud Audit Logs for service account

list_url = "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/" req = urllib.request.Request(list_url, headers="Metadata-Flavor": "Google") with urllib.request.urlopen(req) as response: accounts = response.read().decode().strip().split("/\n") accounts = [a for a in accounts if a] # remove empty print("Attached service accounts:", accounts)

– Even if a service account has wider IAM permissions, the instance’s scopes limit what the metadata token can access.

http://google.internal[AUDIENCE_URL] 3. Practical Usage Examples

Mystic Garden Stories © 2026