GCP has special account types that are known as service accounts. The GCP service account provides the authorization grant to access the Google cloud APIs.
Service accounts can be granted privileges to access the Google cloud API and are attached to the DDVE instance in GCP cloud. The DDVE instance has the same privileges as the service account. Applications that are running on the DDVE instance can request the OAuth 2.0 token from the metadata server. With the OAuth 2.0 token, the applications can make authorized API calls to the Google cloud API.
To authenticate to the cloud storage, you can use OAuth 2.0 tokens only from within the DDVE instance. They are valid for one hour. The GCP metadata service automatically refreshes the tokens before they expire. With OAuth 2.0 authentication, user credentials are not required to be exchanged between the DDVE instance and the cloud storage. The OAuth 2.0 authentication method is more secure than using HMAC access and secret keys for authentication to the cloud storage. For more information on service accounts, see
https://cloud.google.com/docs/quota#requesting_higher_quota.