View instance metadata - Elastic Compute Service - Alibaba Cloud Documentation Center

You can use the metadata of an Elastic Compute Service (ECS) instance to configure or manage the instance. For example, you can bind a key pair to an instance or change the hostname of the instance based on the instance metadata. This topic describes how to view the metadata of an instance.

Prerequisites

The instance whose metadata you want to view is in the Running state.
The instance resides in a virtual private cloud (VPC).

Modes in which to view instance metadata

By default, you can view the metadata of instances in normal mode or security hardening mode. The following table describes the differences between the normal mode and the security hardening mode.

Item	Normal mode	Security hardening mode
Interaction pattern	Request-response.	Session.
Authentication method	Use source IP addresses in the same VPC for authentication.	Use source IP addresses in the same VPC and metadata server access credentials for authentication. Metadata server access credentials have the following characteristics: Metadata server access credentials are short-lived and remain valid for up to 6 hours. When the validity period ends, the credentials expire and need to be re-obtained. Metadata server access credentials are tied to instances. If you copy the metadata server access credentials of one instance to access a different instance, your access is denied. Metadata server access credentials do not support proxy access. If a request includes the X-Forwarded-For header, the metadata server refuses to issue access credentials.
Access method	Use commands to access the endpoint.	Obtain metadata server access credentials for authentication and then use commands to access the endpoint.

Procedure

Important

If your instance or instance metadata includes sensitive data, we recommend that you take appropriate measures such as access control or data encryption to protect the sensitive data.

(Recommended) View instance metadata in security hardening mode

Obtain metadata server access credentials.
Before you can obtain instance metadata, you need to obtain metadata server access credentials and specify a validity period for the credentials to enhance data security. After the specified validity period expires, you need to re-obtain metadata server access credentials. Otherwise, you cannot obtain instance metadata. For information about the characteristics of metadata server access credentials, see the "Modes in which to view instance metadata" section of this topic.
<Validity period of the metadata server access credentials>: Valid values: 1 to 21600. Unit: seconds.
- Linux instance
```
TOKEN=`curl -X PUT "http://100.100.100.200/latest/api/token" -H "X-aliyun-ecs-metadata-token-ttl-seconds:<Validity period of the metadata server access credentials>"`
```
- Windows instance
```
$token = Invoke-RestMethod -Headers @{"X-aliyun-ecs-metadata-token-ttl-seconds" = "<Validity period of the metadata server access credentials>"} -Method PUT –Uri http://100.100.100.200/latest/api/token
```
Run one of the following commands based on the operating system of the instance to view instance metadata.
Within the validity period of the metadata server access credentials, you can repeatedly run the command to view different metadata items of the instance.
<metadata>: Replace this parameter with the metadata item that you want to view. For information about instance metadata items, see Instance metadata items.
Linux instance
- Run the following command to view a basic metadata item of the instance:
```
curl -H "X-aliyun-ecs-metadata-token: $TOKEN" http://100.100.100.200/latest/meta-data/<metadata>
```
- Run the following command to view a dynamic metadata item of the instance:
```
curl -H "X-aliyun-ecs-metadata-token: $TOKEN" http://100.100.100.200/latest/<metadata>
```
Windows instance
- Run the following command to view a basic metadata item of the instance:
```
Invoke-RestMethod -Headers @{"X-aliyun-ecs-metadata-token" = $token} -Method GET -Uri http://100.100.100.200/latest/meta-data/<metadata>
```
- Run the following command to view a dynamic metadata item of the instance:
```
Invoke-RestMethod -Headers @{"X-aliyun-ecs-metadata-token" = $token} -Method GET -Uri http://100.100.100.200/latest/<metadata>
```

View instance metadata in normal mode

<metadata>: Replace this parameter with the metadata item that you want to view. For information about instance metadata items, see Instance metadata items.

Linux instance

Run the following command to view a basic metadata item of the instance:
```
curl http://100.100.100.200/latest/meta-data/<metadata>
```
Run the following command to view a dynamic metadata item of the instance:
```
curl http://100.100.100.200/latest/<metadata>
```

Windows instance

Run the following command to view a basic metadata item of the instance:
```
Invoke-RestMethod http://100.100.100.200/latest/meta-data/<metadata>
```
Run the following command to view a dynamic metadata item of the instance:
```
Invoke-RestMethod http://100.100.100.200/latest/<metadata>
```

FAQ

Q: What do I do when I cannot run a command to view the metadata of an instance in security hardening mode?

A: Check whether the command is correct. The following errors may occur in the command:

The validity period of the metadata server access credentials is not within the range of 1 second to 21,600 seconds.
```
curl -X PUT "http://100.100.100.200/latest/api/token" -H "X-aliyun-ecs-metadata-token-ttl-seconds: 21700"
```

The request includes the X-Forwarded-For header.

curl -X PUT "http://100.100.100.200/latest/api/token" -H "X-Forwarded-For: www.ba****.com"

The specified metadata server access credentials are invalid.

curl -H "X-aliyun-ecs-metadata-token: aaa" -v http://100.100.100.200/latest/meta-data/