Корзина

  • Ваша корзина пуста!

Fetch-url-http-3a-2f-2fmetadata.google.internal-2fcomputemetadata-2fv1-2finstance-2fservice Accounts-2f 2021 Direct

It stores information about the instance, including service accounts, custom metadata, project-level data, and hostnames. The server acts as a local repository for authorized applications, ensuring that keys never need to be stored on the disk. The Service Accounts Endpoint Explained

The endpoint http://google.internal allows applications running on Compute Engine VMs, App Engine, Cloud Functions, and Cloud Run to retrieve OAuth2 access tokens for the service account attached to the resource. 1. What is the GCP Metadata Server?

The address of this secret vault is http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/ .

This script had been written two years ago by a developer named David. David was pragmatic, perhaps to a fault. He needed the script to pull configuration data from a remote server. To make the script flexible, he added a feature allowing it to accept a URL as a command-line argument. It looked something like this:

If you are seeing errors related to this fetch URL, check these three things: It stores information about the instance, including service

response = requests.get(METADATA_URL, headers=headers) response.raise_for_status() token_data = response.json() access_token = token_data["access_token"]

The short answer is:

// This will fail due to double encoding fetch("http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/", headers: "Metadata-Flavor": "Google" )

Furthermore, this mechanism supports the principle of . Developers can assign a specific service account to a VM that only has "read" access to a specific bucket. When the code fetches a URL from the metadata server, the token it receives will carry only those restricted permissions, ensuring that a vulnerability in one part of the system doesn't lead to a total data breach. Conclusion This script had been written two years ago

Server-Side Request Forgery occurs when an attacker can trick a vulnerable web application into making an HTTP request to an internal resource that the attacker cannot reach directly.

– If you run user-submitted code in your VM (e.g., via a web app), they can query /service-accounts/default/token and impersonate your service account.

Fetching this URL returns a list of service account identities authorized for the instance. By default, this usually includes the "default" compute service account. Sub-paths of this endpoint allow developers to retrieve:

The keyword fragment fetch-url-http-3A-2F-2F... suggests a JavaScript fetch() call or a similar HTTP client incorrectly encoding the URL. In Node.js, Python, or browser environments (though metadata server is accessible from browsers), encoding can break the request. "Failed to fetch URL")

So the decoded URL is: http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/

http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/

When creating your VM or resource, ensure the service account has only the IAM permissions it actually needs. 5. Official Resources

If you are seeing this in an error message (e.g., "Failed to fetch URL"), it is often because of a missing header.

Example token response (JSON):