IssueTracker

This will create a feature request which anybody can view and comment on.

Please describe your requested enhancement. Good feature requests will solve common problems or enable new use cases.

What you would like to accomplish:
http://metadata.google.internal/computeMetadata/v1/instance/serviceaccounts/default/token is accessible from the cloud function runtime.
I want to be able to prevent requests to the GCP metadata server so that node scripts cannot expose internal access. If the configuration setting is enabled, all requests to any `http://metadata.google.internal/computeMetadata/` endpoint should result in an error.

How this might work:
A configuration setting is exposed for each cloud function that toggles whether the metadata server is accessible from the runtime. This could be granular per-endpoint or all-or-nothing. At an infrastructural level, the setting is checked and if enabled, all requests to the metadata server are terminated with an error.

If applicable, reasons why alternative solutions are not sufficient:
A possible workaround is to sanitize the input to the cloud function to prevent these requests. This becomes difficult if source code is passed as an input when invoking the cloud function because there are unlimited possibilities for constructing these requests.

This seems like a security vulnerability if these GCP tokens were accessed by an unintended audience.

Other information (workarounds you have tried, documentation consulted, etc):

Steps to test:
Deploy a basic cloud function using the node runtime
Use axios (or preferred HTTP client) to configure a call to request the default token from metadata server
Observe response that includes the access token => New functionality should return with error