.../scopes : Lists the access scopes granted to the service account. 2. Security Feature: SSRF Prevention
The primary reason applications query the service-accounts/ endpoint is to obtain an access token for authenticating to Google APIs (e.g., Cloud Storage, BigQuery, Pub/Sub).
The specific path /instance/service-accounts/ is where your VM goes to find out .
"access_token": "ya29.c.b0Aa...", "expires_in": 3600, "token_type": "Bearer"
If you run curl http://metadata.google.internal from your laptop, it will fail because the DNS name resolves to a local link address only within GCP.
Download