Getting an IAM token for a service account using a container
Written by
Updated at March 7, 2025
If the container revision was created with a service account, you can get an IAM token from the metadata service in Google Compute Engine using the API.
To do this, from inside the container, send a GET request to http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token
and specify the Metadata-Flavor: Google
HTTP header.
Below is an example of a function for obtaining an IAM token.
JavaScript
const fetch = require("node-fetch");
let url = 'http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token';
let headers = {'Metadata-Flavor': 'Google'};
async function getToken(event) {
const resp = await fetch(url, {
headers: headers,
});
let respJson = await resp.json();
return {
token: respJson['access_token'],
expiresInSeconds: respJson['expires_in'],
};
};