The thing is I ran docker container in the VM instance from gcloud, the docker container has gcloud SDK installed beforehand, without mounting user ~/.config folder, I found that the container SDK has already been set with the service account from host, for example:
1 | # gcloud_test is image built with gcloud SDK |
Inside container, executing:
1 | gcloud auth list |
Instead of asking you login, the host associated service account was displayed.
It turns out that it is related to Metadata Server provided by Google Cloud: Your VM automatically has access to the metadata server API without any additional authorization. You can only query the metadata server programmatically from within a VM.
For example, to get the service account of the VM:
1 | curl -H "Metadata-Flavor:Google" http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/ |
More metadata items see here.
The gcloud SDK inside of container will do something like this to automatically fetch host’s service account and use it, if I disable the container networking during creation, this mechanism will not work anymore:
1 | # disable network |
Also notes that this is a common concept for most of the cloud providers, not something unique to Google.