Does this Cloud Run Metadata Server endpoint provide the default service account, or the one attached?

Question

In the documentation for the Cloud Run container contract, the endpoints are listed to include those to get the email and token:

/computeMetadata/v1/instance/service-accounts/default/email
/computeMetadata/v1/instance/service-accounts/default/token

Descriptions are "Email for the runtime service account of this Cloud Run service or job" and "Generates an OAuth2 access token for the service account of this Cloud Run service or job."

But, the (presumably RESTful) endpoint includes the path service-accounts/default/... And a default service account is a real thing.

My Question

Does the metadata server for Cloud Run return email / token generated for the currently active service account despite the endpoint suggesting that it's for the default service account, or should the endpoints be parameterised by the name of the service account, eg

/computeMetadata/v1/instance/service-accounts/<service-account-name>/email
/computeMetadata/v1/instance/service-accounts/<service-account-name>/token

?

The default path on the metadata server is set by default on all metadata server. I don't know if there was a plan to add several multiple service accounts on the metadata server, but it's not the case. So there are 2 entries: default and the "runtime service account email". But at the end, it's the same thing, no difference. — guillaume blaquiere, Mar 17 '23 at 20:47
Thanks for the response, Guillaume (I was hoping someone like you would see it!) but honestly it's got me even more confused. So there are two entries, one is default, one is runtime, but they're the same...? So which is it? — thclark, Mar 20 '23 at 09:12
Keep in mind that Google Cloud is an extension of the Google infrastructure. It could be normal for a metadata server in Google infra to have several identity. But it's not the case for Public cloud. Therefore, there is always only one service account (the runtime one) and the default reference it everytime. — guillaume blaquiere, Mar 20 '23 at 09:15
OK, so the /default/ endpoint uses the runtime service account always. Thanks @guillaume! — thclark, Mar 20 '23 at 09:21
@guillaumeblaquiere if you'd like to make this an answer I'll accept it :) — thclark, Mar 21 '23 at 08:29

score 0 · Answer 1 · answered Mar 20 '23 at 20:14

0

As mentioned by @guillaume blaquiere:

The default path on the metadata server is set by default on all metadata server. Keep in mind that Google Cloud is an extension of the Google infrastructure. It could be normal for a metadata server in Google infra to have several identity. But it's not the case for Public cloud. Therefore, there is always only one service account (the runtime one) and the default reference it everytime.

answered Mar 20 '23 at 20:14

Chanpols

1,184
1
3
13

Copying people's comments to claim the credit for yourself I don't think is very cool. – thclark Mar 21 '23 at 08:30

Does this Cloud Run Metadata Server endpoint provide the default service account, or the one attached?

1 Answers1