When you attach a service account to a virtual machine (VM) in Google Cloud, applications deployed on the VM can access the metadata server to request access tokens or ID Tokens for the attached service account. By default, access to the metadata server is not limited to any specific process or user on the VM: even processes running as a low-privilege user such as nobody on Linux or LocalService on Windows have full access to the metadata server and can obtain tokens for the service account. ...
