Fetch-url-http-3a-2f-2fmetadata.google.internal-2fcomputemetadata-2fv1-2finstance-2fservice Accounts-2f Now

import requests storage_url = "https://storage.googleapis.com/storage/v1/b" headers = "Authorization": f"Bearer access_token" resp = requests.get(storage_url, headers=headers) if resp.status_code == 200: buckets = resp.json().get("items", []) print(f"Found len(buckets) buckets.") else: print(f"Error: resp.status_code - resp.text")

The URL metadata.google.internal is a special internal DNS name accessible only from within a GCP Compute Engine instance. It is not reachable from the public internet. When a developer needs a script to perform an action (like uploading a file to a bucket), the script queries this local URL to get an OAuth 2.0 access token. This eliminates the need to hardcode sensitive credentials directly into the application code. 2. The Vulnerability: Server-Side Request Forgery (SSRF)

Here's a feature on how to prepare and fetch data from this URL: import requests storage_url = "https://storage

Seeing fetch-url-http-...metadata.google.internal... is a sign that your application is correctly trying to leverage the native Google Cloud identity system. It allows your code to run securely without hardcoding passwords or keys inside your application code.

The metadata server supports HTTP, not HTTPS. This is safe because it is a non-routable, link-local address. This eliminates the need to hardcode sensitive credentials

It looked like gibberish at first: fetch-url-http-3A-2F...

The endpoint is a critical internal URL used by Google Cloud Platform (GCP) resources to manage identities and security credentials. It acts as a gateway for applications running on Compute Engine, GKE, or Cloud Run to interact with the Google Cloud Metadata Server . Understanding the Metadata Server is a sign that your application is correctly

Every Compute Engine VM, GKE node, Cloud Run revision, and many other GCP serverless environments run a local at the non‑routable IP address 169.254.169.254 and the hostname metadata.google.internal . This server exposes a REST API over HTTP (no TLS required, because the traffic never leaves the physical host). It provides:

http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token

The service-accounts/ directory within this server provides information about the IAM service accounts attached to the instance, including their identities and the temporary OAuth 2.0 access tokens required to call other GCP APIs. Key Functionalities of the Endpoint About VM metadata | Compute Engine

curl -H "Metadata-Flavor: Google" \ "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/"