Service identity

This page describes how to use access tokens to authenticate when calling Google Cloud APIs.

Fetching access tokens

When your code runs on Knative serving it can use the Compute Metadata Server to fetch access tokens. You cannot query the metadata server directly from your local computer.

Access tokens

You use access tokens when calling Google APIs.

By default, access tokens have the cloud-platform scope, which allows access to all Google Cloud APIs, assuming Identity and Access Management also allows access. In order to access other Google or Google Cloud APIs, you will need to fetch an access token with the appropriate scope.

You can use the Compute Metadata Server to fetch access tokens.

If you need an access token with a specific scope, you can generate one as follows:

curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token?scopes=[SCOPES]" \
  -H "Metadata-Flavor: Google"

Where SCOPES is a comma separated list of OAuth scopes requested, for example: https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/spreadsheets.

Consult the full list of Google OAuth scopes to find which scopes you need.

Next steps

Learn how to manage access to your services.