Getting an IAM token for a service account using a container

Written by

Updated at March 7, 2025

If the container revision was created with a service account, you can get an IAM token from the metadata service in Google Compute Engine using the API.

To do this, from inside the container, send a GET request to http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token and specify the Metadata-Flavor: Google HTTP header.

Below is an example of a function for obtaining an IAM token.

JavaScript

const fetch = require("node-fetch");
let url = 'http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token';
let headers = {'Metadata-Flavor': 'Google'};

async function getToken(event) {
    const resp = await fetch(url, {
        headers: headers,
    });
    let respJson = await resp.json();
    return {
        token: respJson['access_token'],
        expiresInSeconds: respJson['expires_in'],
    };
};

Getting an IAM token for a service account using a container

Was the article helpful?