Using OAuth2 access tokens

You can use access tokens to authenticate for a short period of time with Google Cloud APIs. If access tokens are not required, you should use a service account to authenticate your Cloud Run for Anthos services.

Fetching access tokens

When your code runs on Cloud Run for Anthos it can use the Compute Metadata Server to fetch access tokens. You cannot query the metadata server directly from your local computer.

Access tokens

By default, access tokens have the cloud-platform scope, which allows access to all Google Cloud APIs, assuming Identity and Access Management also allows access. In order to access other Google or Google Cloud APIs, you will need to fetch an access token with the appropriate scope.

You can use the Compute Metadata Server to fetch access tokens.

If you need an access token with a specific scope, you can generate one as follows:

curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token?scopes=[SCOPES]" \
  -H "Metadata-Flavor: Google"

Where SCOPES is a comma separated list of OAuth scopes requested, for example: https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/spreadsheets.

Consult the full list of Google OAuth scopes to find which scopes you need.

Next steps

Learn how to manage access to your services.