This page describes how to use access tokens to authenticate when calling Google Cloud APIs.
Fetching access tokens
When your code runs on Knative serving it can use the Compute Metadata Server to fetch access tokens. You cannot query the metadata server directly from your local computer.
Access tokens
You use access tokens when calling Google APIs.
By default, access tokens have the cloud-platform
scope, which allows access
to all Google Cloud APIs, assuming Identity and Access Management also allows access. In order to
access other Google or Google Cloud APIs, you will need to fetch an access
token with the appropriate scope.
You can use the Compute Metadata Server to fetch access tokens.
If you need an access token with a specific scope, you can generate one as follows:
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token?scopes=[SCOPES]" \ -H "Metadata-Flavor: Google"
Where SCOPES
is a comma separated list of OAuth scopes
requested, for example: https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/spreadsheets
.
Consult the full list of Google OAuth scopes to find which scopes you need.
Next steps
Learn how to manage access to your services.