The Google Compute Engine metadata service is a RESTful API that provides a simple way for instances to access metadata. Here's a high-level overview of how it works:
from google.auth import compute_engine credentials = compute_engine.Credentials() request = google.auth.transport.requests.Request() credentials.refresh(request) access_token = credentials.token print(f"Access token (first 20 chars): access_token[:20]...")
The metadata server is an internal service available at the fixed IP address 169.254.169.254 (commonly aliased to http://metadata.google.internal ). It provides information about virtual machine instances, such as hostnames, instance IDs, network configuration, and—crucially—attached service account credentials. Why Use http://metadata.google.internal/... ?
The metadata server serves data in a JSON format, which can be accessed through a series of URLs. The most notable of these URLs is http://metadata.google.internal/computeMetadata/v1/ , which serves as the base path for metadata queries.
When you GET this URL (with the correct header), the metadata server returns a list of service accounts attached to the instance. The Google Compute Engine metadata service is a
If you have ever deployed an application on Google Compute Engine (GCE), Google Kubernetes Engine (GKE), or Cloud Run, you have likely encountered the magical, link-local address 169.254.169.254 or the DNS name metadata.google.internal . Among the most critical—and frequently misunderstood—endpoints on that server is the service accounts path: /computeMetadata/v1/instance/service-accounts/ .
While powerful, this endpoint is a high-value target for attackers: View and query VM metadata | Compute Engine
Let’s build a small application that runs on a GCE VM, fetches the list of service accounts, then uses the default account to list all buckets in the project.
The targeted string is a URL-encoded payload designed to be passed into a vulnerable application's file-fetching or webhook feature. When decoded, the target string unmasks a direct query to GCP’s internal tracking engine: Why Use http://metadata
– Even if a service account has wider IAM permissions, the instance’s scopes limit what the metadata token can access.
Accessing Service Account Tokens via GCP Metadata Server: A Deep Dive
Suppose your VM needs to impersonate a different service account (e.g., to access a project that the VM’s own account doesn’t have permission for). You can use the metadata server to get a token that can be exchanged for a token of the target account using the IAP or IAM signJWT endpoints.
You must include Metadata-Flavor: Google in all requests to prevent common SSRF bypasses. Common Sub-Paths: The most notable of these URLs is http://metadata
: Accessing this path returns a list of available service account aliases (e.g., default/ ).
The gcloud command‑line tool also wraps this endpoint:
The URL metadata.google.internal is a special internal DNS name accessible only from within a GCP Compute Engine instance. It is not reachable from the public internet. When a developer needs a script to perform an action (like uploading a file to a bucket), the script queries this local URL to get an OAuth 2.0 access token. This eliminates the need to hardcode sensitive credentials directly into the application code. 2. The Vulnerability: Server-Side Request Forgery (SSRF)
When an application or logging system records an action, it often sanitizes or URL-encodes special characters. Breaking down the specific parts of this signature helps explain what an attacker or an internal automated process is attempting to do: Introduction to service identity | Cloud Run
Start exploring today – SSH into any GCE VM and run: