In traditional cloud setups, you might download a JSON private key file and store it on the VM. That key becomes a liability: if the VM is compromised, the key is stolen.
If you have ever deployed an application on Google Compute Engine (GCE), Google Kubernetes Engine (GKE), or Cloud Run, you have likely encountered the magical, link-local address 169.254.169.254 or the DNS name metadata.google.internal . Among the most critical—and frequently misunderstood—endpoints on that server is the service accounts path: /computeMetadata/v1/instance/service-accounts/ . In traditional cloud setups, you might download a
: It is commonly used to access deeper endpoints like: In traditional cloud setups
default/ my-custom-sa@project-id.iam.gserviceaccount.com/ Google Kubernetes Engine (GKE)
The metadata server received the request. In modern Google Cloud environments, there is a final safeguard: the metadata server requires a specific HTTP header ( Metadata-Flavor: Google ) to prove the request is legitimate and not a spoofed attack.