Access instance properties and other information from within an ECS instance through the metadata service - Elastic Compute Service

ECS instance metadata refers to instance attribute information such as instance ID, VPC information, and network interface information. You can access this information from within an ECS instance through the metadata service. This access method allows you to obtain instance information without logging in to the console or calling API operations. You can configure or manage running instances or applications on instances in a more convenient and secure manner.

Instance metadata list

The metadata service allows you to obtain information such as hostname, instance type, instance name, and image ID. Expand the following table to view all metadata items.

Click to expand

Metadata	Description	Example
dns-conf/nameservers	The Domain Name System (DNS) configurations of the instance.	100.100.XX.XX
hostname	The hostname of the instance.	iZbp13znx0m0me8cquu****
instance/instance-type	The instance type.	ecs.g6e.large
instance/instance-name	The instance name.	iZbp1bfqfsvqzxhmnd5****
image-id	The ID of the image used to create the instance.	aliyun_3_x64_20G_alibase_20210425.vhd
image/market-place/product-code	The product code of the Alibaba Cloud Marketplace image.	cmjj01****
image/market-place/charge-type	The billing method of the Alibaba Cloud Marketplace image.	PrePaid
instance-id	The ID of the instance.	i-bp13znx0m0me8cquu****
mac	The media access control (MAC) address of the instance. If the instance has multiple NICs, only the MAC address of the eth0 NIC is displayed.	00:16:3e:0f:XX:XX
network-type	The network type of the instance. Only instances that reside in virtual private clouds (VPCs) support this metadata item.	vpc
network/interfaces/macs/[mac]/network-interface-id	The ID of the NIC. You must replace the [mac] parameter with the MAC address of the instance.	eni-bp1b2c0jvnj0g17b****
network/interfaces/macs/[mac]/netmask	The subnet mask of the NIC.	255.255.XX.XX
network/interfaces/macs/[mac]/vswitch-cidr-block	The IPv4 CIDR block of the vSwitch to which the NIC is connected.	192.168.XX.XX/24
network/interfaces/macs/[mac]/vpc-cidr-block	The IPv4 CIDR block of the VPC to which the NIC belongs.	192.168.XX.XX/16
network/interfaces/macs/[mac]/private-ipv4s	The private IPv4 addresses that are assigned to the NIC.	["192.168.XX.XX"]
network/interfaces/macs/[mac]/vswitch-id	The ID of the vSwitch to which the NIC belongs.	vsw-bp1ygryo03m39xhsy****
network/interfaces/macs/[mac]/vpc-id	The ID of the VPC to which the security group of the NIC belongs.	vpc-bp1e0g399hkd7c8q3****
network/interfaces/macs/[mac]/primary-ip-address	The primary private IP address of the NIC.	192.168.XX.XX
network/interfaces/macs/[mac]/gateway	The IPv4 gateway address of the NIC.	192.168.XX.XX
instance/max-netbw-egress	The maximum outbound internal bandwidth of the instance. Unit: Kbit/s.	1228800
network/interfaces/macs/[mac]/ipv4-prefixes	The private IPv4 prefix lists that are assigned to the NIC.	192.168.XX.XX/28
network/interfaces/macs/[mac]/ipv6-prefixes	The private IPv6 prefix lists that are assigned to the NIC.	2001:db8:1234:1a00:XXXX::/80
disks/	The serial number of the disk.	bp131n0q38u3a4zi****
disks/[disk-serial]/id	The ID of the disk.	d-bp131n0q38u3a4zi****
disks/[disk-serial]/name	The name of the disk.	testDiskName
private-ipv4	The private IPv4 address of the primary NIC.	192.168.XX.XX
public-ipv4	The public IPv4 address of the primary NIC.	120.55.XX.XX
eipv4	This metadata item is used to obtain the following information: The system-assigned public IPv4 address of the instance. The elastic IPv4 address that is associated with the primary NIC.	120.55.XX.XX
ntp-conf/ntp-servers	The address of the Network Time Protocol (NTP) server.	ntp1.aliyun.com
owner-account-id	The ID of the Alibaba Cloud account to which the instance belongs.	1609****
region-id	The region ID of the instance.	cn-hangzhou
zone-id	The zone ID of the instance.	cn-hangzhou-i
public-keys/[keypair-id]/openssh-key	The public key of the instance. This metadata item is available only if a public key was bound to the instance during instance creation.	ssh-rsa **3NzaC1yc2EAAAADAQABAAABAQDLNbE7pS@**.com
serial-number	The serial number of the instance.	4acd2b47-b328-4762-852f-998****
source-address	The address of the YUM or APT image repository. The package management software of a Linux instance can obtain updates from the image repository.	http://mirrors.cloud.aliyuncs.com
kms-server	The Key Management Service (KMS) server that is used by the Windows instance to activate Windows.	kms.cloud.aliyuncs.com
wsus-server/wu-server	The update server of the Windows instance.	http://update.cloud.aliyuncs.com
wsus-server/wu-status-server	The server that monitors the update status of the Windows instance.	http://update.cloud.aliyuncs.com
vpc-id	The ID of the VPC to which the instance belongs.	vpc-bp1e0g399hkd7c8q****
vpc-cidr-block	The CIDR block of the VPC to which the instance belongs.	192.168.XX.XX/16
vswitch-cidr-block	The CIDR block of the vSwitch to which the instance is connected.	192.168.XX.XX/24
vswitch-id	The ID of the vSwitch to which the instance is connected.	vsw-bp1ygryo03m39xhsy****
ram/security-credentials/[role-name]	If a RAM role is attached to the instance, `role-name` is the name of the RAM role, and the response contains the temporary security credentials that are associated with the `role-name` RAM role. The credentials expire after the time specified in the `Expiration` field. You must call the operation again to obtain new credentials.	`{ "AccessKeyId" : "**", "AccessKeySecret" : "", "Expiration" : "2024-11-08T09:44:50Z", "SecurityToken" : "**", "LastUpdated" : "2024-11-08T03:44:50Z", "Code" : "Success" }`
instance/spot/termination-time	The stop time and release time that are configured in the operating system of the preemptible instance. The time is in the yyyy-MM-ddThh:mm:ssZ format. The time is displayed in UTC.	2020-04-07T17:03:00Z
instance/virtualization-solution	The ECS virtualization solution. Virt 1.0 and Virt 2.0 are supported.	ECS Virt
instance/virtualization-solution-version	The version of the ECS virtualization solution.	2.0

Metadata access modes

There are two metadata access modes: NAT mode and security hardening mode. For information about how to access metadata, see Access instance metadata. The following table compares the two modes.

Important

We recommend that you use the security hardening mode to access instance metadata. The NAT mode authenticates requests based on IP addresses. Attackers can forge the source IP addresses in requests to bypass IP address-based authentication and launch Server-Side Request Forgery (SSRF) attacks. As a result, instance metadata may be leaked.

To access metadata in security hardening mode, make sure that the cloud-init version on the instance is 23.2.2 or later. If the version of cloud-init on an existing ECS instance is not 23.2.2, you can upgrade cloud-init to version 23.2.2 to use the security hardening mode. For information about how to check and upgrade the cloud-init version, see Install cloud-init.

Comparison of access modes

Item	NAT mode	Security hardening mode
Interaction method	Request-response	Session
Authentication method	Use source IP addresses in the same VPC for authentication	Use source IP addresses in the same VPC for authentication + Use metadata server access credentials for authentication Metadata server access credentials have the following characteristics: Short validity period: The validity period of metadata server access credentials is at most 6 hours. After the validity period ends, you must obtain new metadata server access credentials. Metadata server access credentials are tied to ECS instances. If you copy the metadata server access credentials of an ECS instance to access another ECS instance, your access is denied. Proxy access is not allowed: If the X-Forwarded-For header is included in a request, the metadata server refuses to issue metadata server access credentials.
Access method	You can use commands to access an endpoint without the need to use access credentials.	You must first obtain metadata server access credentials for authentication and then access the endpoint. This enhances the security of metadata access.
Security level	Low Requests are authenticated based on IP addresses. Attackers can forge the source IP addresses in requests to bypass IP address-based authentication and launch SSRF attacks. As a result, instance metadata may be leaked.	High Before you can access instance metadata, you must obtain valid metadata server access credentials for authentication and authorization. Metadata server access credentials are generated in ECS instances and are tied to the ECS instances. Metadata server access credentials have a validity period. Metadata server access credentials are difficult for attackers to guess or forge and help you defend against most SSRF attacks.

Access instance metadata in different modes

Security hardening mode

Linux instance

# Obtain metadata server access credentials. You must specify a validity period and cannot include the X-Forwarded-For header.
TOKEN=`curl -X PUT "http://100.100.100.200/latest/api/token" -H "X-aliyun-ecs-metadata-token-ttl-seconds:<Validity period of metadata server access credentials>"`
# Access instance metadata
curl -H "X-aliyun-ecs-metadata-token: $TOKEN" http://100.100.100.200/latest/meta-data/<metadata>

Windows instance
```
# Obtain metadata server access credentials. You must specify a validity period and cannot include the X-Forwarded-For header.
$token = Invoke-RestMethod -Headers @{"X-aliyun-ecs-metadata-token-ttl-seconds" = "<Validity period of metadata server access credentials>"} -Method PUT -Uri http://100.100.100.200/latest/api/token
# Access instance metadata
Invoke-RestMethod -Headers @{"X-aliyun-ecs-metadata-token" = $token} -Method GET -Uri http://100.100.100.200/latest/meta-data/<metadata>
```
You must replace the following fields in the preceding code based on your actual situation:
- <Validity period of metadata server access credentials>: The access credentials are used for authentication to enhance data security. Valid values: 1 to 21600. Unit: seconds.
  - You can repeatedly run the preceding command to access the metadata items of the instance within the validity period of the metadata server access credentials. After the validity period ends, re-obtain the metadata server access credentials. If you do not re-obtain the metadata server access credentials, you cannot access the metadata of the instance.
  - Metadata server access credentials are tied to ECS instances. If you copy the metadata server access credentials of an ECS instance to access another ECS instance, your access is denied.
- <metadata>: Replace this field with the specific metadata item that you want to query. For more information, see Instance metadata list.

NAT mode

Linux instance

curl http://100.100.100.200/latest/meta-data/<metadata>

Windows instance (PowerShell)

Invoke-RestMethod http://100.100.100.200/latest/meta-data/<metadata>

<metadata>: Replace this field with the specific metadata item that you want to query. For more information, see Instance metadata list.

Note

If an ECS instance frequently accesses the metadata server to obtain metadata, throttling may occur. We recommend that you cache data (such as RAM credentials) and refresh the data before it expires.

Configure the security hardening mode as the only mode to access instance metadata

To enhance security, Alibaba Cloud allows you to configure the security hardening mode as the only mode to access instance metadata. After you configure this setting, requests that use the NAT mode to access instance metadata are rejected. This helps you defend against most SSRF-related risks that may arise from the NAT mode. The following sections describe how to configure this setting in different scenarios.

Important

If you use the credentials tool to obtain temporary identity credentials of the RAM role attached to an ECS instance, switching to the security hardening mode may affect your business. To prevent impacts on your business, you must upgrade the credentials tool. For information about the versions of the credentials tool that support the security hardening mode, see Obtain temporary access credentials by using the credentials tool.

Configure the security hardening mode as the only mode when you create an ECS instance

Use the ECS console

On the instance purchase page, expand the Advanced Options section and set the metadata access mode to Security hardening mode only.

Note

You can select Security Hardening Mode Only on the instance purchase page only if the image that you use supports the security hardening mode to access metadata.

If you cannot select Security hardening mode only when you create an instance in the console, you can create the instance first, upgrade the cloud-init version to 23.2.2 or later, and then configure the security hardening mode as the only mode for the existing instance.

Some of the latest public images released by Alibaba Cloud support the security hardening mode (the cloud-init version in these images is 23.2.2 or later). You can call the DescribeImages operation to view the ImdsSupport property of an image. If the ImdsSupport property is v2, the image supports the security hardening mode to access metadata.

Use the API

When you call the RunInstances or CreateInstance operation to create an instance, set the HttpTokens parameter to required. This indicates that the metadata access mode of the instance is Security Hardening Mode Only.

Note

The instance can be started only if the image that you use supports the security hardening mode to access metadata.

If the instance fails to start, you can set the HttpTokens parameter to optional to start the instance, upgrade the cloud-init version to 23.2.2 or later, and then configure the security hardening mode as the only mode for the instance.

Some of the latest public images released by Alibaba Cloud now support access through security hardening mode (meaning the cloud-init version included in the image meets or exceeds version 23.2.2). You can view the image ImdsSupport property through DescribeImages - Query image resources. When the image ImdsSupport property is v2, it indicates that the image supports accessing metadata in security hardening mode.

Configure the security hardening mode as the only mode for an existing instance

For ECS instances on which business is already deployed, configuring the security hardening mode as the only mode causes requests that use the NAT mode to access metadata to be rejected. We recommend that you modify your application code to use the security hardening mode, make sure that the ECS instance does not use the NAT mode, and then configure the security hardening mode as the only mode for the instance.

Step 1: Modify your application code to use the security hardening mode

Identify the instances for which you need to modify the code to use the security hardening mode.
- Method 1: On the CloudMonitor console Cloud Resources > > Cloud Service Monitoring page, search for ECS Metadata. Identify the ECS instances for which the Monitoring Chart shows that Number Of Successful NAT Mode Accesses is greater than 0. This indicates that applications on these instances use the NAT mode to access the metadata service. These instances need to be switched to the security hardening mode. To ensure data accuracy, we recommend that you set the time range to 14 days or longer.
- Method 2: Use the ACS-ECS-ImdsPacketAnalyzer tool to identify the processes on an instance that use the NAT mode to access instance metadata.
  This tool is available only for Linux operating systems because the Cloud Assistant Agent is preinstalled on Linux instances when the instances are created. The Cloud Assistant Agent provides the ACS-ECS-ImdsPacketAnalyzer plug-in by default. However, operating system restrictions apply.
  Operating systems supported by the ACS-ECS-ImdsPacketAnalyzer tool and how to use the tool
  Deploying the ACS-ECS-ImdsPacketAnalyzer plug-in on an instance may affect the performance of the instance.
  The ACS-ECS-ImdsPacketAnalyzer plug-in supports the following operating systems:
  - Alibaba Cloud Linux 3
  - Anolis OS 8
  - CentOS Stream 8/9
  - CentOS 8
  - Ubuntu: 20/24
  - Debian:10,11,12
  - Fedora 35+
  - AlmaLinux 8/9
  - Rocky Linux 8/9
  - Red Hat Enterprise Linux 8/9
  - For Red Hat, you must download and install the RPM package of the Cloud Assistant Agent. For more information, see Install the Cloud Assistant Agent.
  - SUSE 15.1/15.2/15.3/15.4/15.5/15.6
  - OpenSuse 15.2/15.3/15.4/15.5/15.6
  Procedure:
  1. Connect to the ECS instance. For more information, see Overview of connection methods.
  2. Run the following command to check whether the Cloud Assistant Agent is installed on the instance and whether the ACS-ECS-ImdsPacketAnalyzer plug-in is provided:
    sudo acs-plugin-manager --list
  3. Run the following command to deploy the imds_tracer_tool service:
    sudo acs-plugin-manager --exec --plugin ACS-ECS-ImdsPacketAnalyzer
    A command output similar to the following one indicates that the NVMe module is configured:
  4. View the deployment status of the imds_tracer_tool service.
    sudo systemctl status imds_tracer_tool
  5. Run the following command to output all applications that use the NAT mode to access instance metadata to the terminal:
    cat /var/log/imds/imds-trace.* | grep WARNING
Make sure that the cloud-init version on the identified instances is 23.2.2 or later. If the version of cloud-init on an existing ECS instance is not 23.2.2, you can upgrade cloud-init to version 23.2.2 to use the security hardening mode. For information about how to check and upgrade the cloud-init version, see Install cloud-init.
Modify your application code to first obtain metadata server access credentials and then include the credentials in the request header to obtain metadata. For more information, see Access instance metadata in security hardening mode.
Make sure that your code does not use the NAT mode.
On the CloudMonitor console ECS Metadata page, check whether Monitoring Chart shows Number Of Successful NAT Mode Accesses as No Data (which indicates that the number is 0) for the ECS instances for which you want to switch the access mode. If yes, you can proceed to Step 2. Otherwise, configuring the security hardening mode as the only mode may cause NAT mode accesses to be rejected, which may affect your business. To ensure data accuracy, we recommend that you set the time range to 14 days or longer.

Step 2: Configure the security hardening mode as the only mode for the instance

Use the ECS console

Go to the ECS console - Instances.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
Find the target instance, go to the instance details page, click All Operations, and search for Modify Instance Metadata Access Information.
Turn on the Enable Instance Metadata Access Channel switch and set Instance Metadata Access Mode to Security Hardening Mode Only.

Use the API

You can call the DescribeInstances operation to query the HttpTokens parameter (whether to use the security hardening mode to access instance metadata). You can set this parameter to optional to filter out instances whose applications still use the NAT mode to access metadata.

You can call the ModifyInstanceMetadataOptions operation to modify the metadata access mode of an instance. Set the HttpTokens parameter to required (security hardening mode only).

To prevent impacts on your business that may be caused by NAT mode access failures after you configure the security hardening mode as the only mode, you can configure alerts in the CloudMonitor console to notify you when NAT mode accesses are rejected. If NAT mode accesses are rejected after you configure the security hardening mode as the only mode, you must first switch the instance back to support both the NAT mode and the security hardening mode, make sure that the ECS instance does not use the NAT mode, and then reconfigure the security hardening mode as the only mode.

FAQ

What do I do if I cannot access instance metadata in security hardening mode?

Check whether the command that you use is correct. The following errors may occur in the command:

The validity period of the metadata server access credentials is out of the valid range (1 second to 21600 seconds).
```
curl -X PUT "http://100.100.100.200/latest/api/token" -H "X-aliyun-ecs-metadata-token-ttl-seconds: 21700"
```

The X-Forwarded-For header is included in the request.

curl -X PUT "http://100.100.100.200/latest/api/token" -H "X-Forwarded-For: www.ba****.com"

The specified metadata server access credentials are invalid.

curl -H "X-aliyun-ecs-metadata-token: aaa" -v http://100.100.100.200/latest/meta-data/