Fetch-url-http-3a-2f-2fmetadata.google.internal-2fcomputemetadata-2fv1-2finstance-2fservice Accounts-2f 📌 🔖

The presence of fetch-url-http-3A-2F-2F... in a search term or log indicates a probable misencoding scenario. For example, someone might have written:

// Wrong: URL-encoding the entire URL
fetch(encodeURIComponent("http://metadata.google.internal/..."))

Or a logging system double-encoded an error message. The correct approach is to never URL-encode the base URL of the metadata server. Only query parameters (if any) should be encoded. The presence of fetch-url-http-3A-2F-2F

If you send a GET request to that directory, you receive a list of email addresses (or default account aliases) for every service account associated with the VM. Or a logging system double-encoded an error message

Example response:

default/
my-app@my-project.iam.gserviceaccount.com/

You can then append any of these account names to retrieve their access tokens, identity tokens, SSH keys, or email details. You can then append any of these account

The metadata server only supports HTTP, not HTTPS. This is safe because it is a non-routable, link-local address.