Query instance properties such as IDs and IP addresses from within an ECS instance, and enforce security hardening mode to prevent SSRF attacks.
Get instance metadata
Instance metadata includes attributes such as instance ID, network configuration, and access credentials.
Method 1: Security hardening mode (recommended)
Obtain a temporary access token, then include it in your metadata request.
Linux
-
Log on to the instance.
-
Obtain a temporary token.
TOKEN=`curl -X PUT "http://100.100.100.200/latest/api/token" -H "X-aliyun-ecs-metadata-token-ttl-seconds:21600"`The X-aliyun-ecs-metadata-token-ttl-seconds parameter specifies the token TTL in seconds. Valid values: 1 to 21600.
-
Include the token in your request to retrieve metadata.
curl -H "X-aliyun-ecs-metadata-token: $TOKEN" http://100.100.100.200/latest/meta-data/instance-idReplace
instance-idwith other metadata items as needed, such as mac or hostname.On success, the terminal outputs only the instance ID string, for example,
i-bp1******.
Windows
-
Log on to the instance.
-
Obtain a temporary token.
$token = Invoke-RestMethod -Headers @{"X-aliyun-ecs-metadata-token-ttl-seconds" = "21600"} -Method PUT -Uri http://100.100.100.200/latest/api/tokenThe X-aliyun-ecs-metadata-token-ttl-seconds parameter specifies the token TTL in seconds. Valid values: 1 to 21600.
-
Include the token in your request to retrieve metadata.
Invoke-RestMethod -Headers @{"X-aliyun-ecs-metadata-token" = $token} -Method GET -Uri http://100.100.100.200/latest/meta-data/instance-idReplace
instance-idwith other metadata items as needed, such as mac or hostname.On success, the terminal outputs only the instance ID string, for example,
i-bp1******.
Method 2: Normal mode
Normal mode is insecure and not recommended.
-
Linux:
# Send a GET request to get the instance ID. curl http://100.100.100.200/latest/meta-data/instance-id -
Windows:
# Send a GET request to get the instance ID. Invoke-RestMethod -Uri http://100.100.100.200/latest/meta-data/instance-id -Method Get
Enable security hardening mode only
Enable Security Hardening Mode so that metadata can only be accessed with a token. Normal mode requests return a 403 - Forbidden error. By default, ECS instances allow token-free access (normal mode), which poses a high risk of SSRF attacks.
A typical attack exploits an application feature such as downloading an image from an external URL. An attacker crafts a request that tricks the server into querying the metadata service, stealing the RAM role's temporary credentials. If the role has high-level permissions, the attacker could gain control over your cloud resources or your entire Alibaba Cloud account.
Enable security hardening mode for a new instance
Console
When you create an instance, set to Security Hardening Mode.
If Security Hardening Mode is unavailable when creating an instance from a custom image, upgrade the image.
CLI
Call RunInstances or CreateInstance with HttpEndpoint=enabled and HttpTokens=required. Example:
This example creates a Linux instance in security hardening mode.
aliyun ecs RunInstances \
--region cn-hangzhou \
--RegionId 'cn-hangzhou' \
--ImageId 'aliyun_3_x64_20G_alibase_20250629.vhd' \
--InstanceType 'ecs.g7.large' \
--VSwitchId 'vsw-bp1******trg' \
--SecurityGroupId 'sg-bp1******dgl' \
--SystemDisk.Size 40 \
--SystemDisk.Category cloud_essd \
--HttpEndpoint enabled \
--HttpTokens requiredAPI
Call RunInstances or CreateInstance with HttpEndpoint=enabled and HttpTokens=required.
Upgrade an existing instance
Applicability
-
Windows instances: Security Hardening Mode is not supported. Forcing this mode causes initialization failure and breaks hostname modification and KMS activation.
-
Linux instances: Supported. Complete the dependency checks and modifications in the following sections before upgrading.
Step 1: Check and upgrade code and dependencies
Before switching to Security Hardening Mode, ensure the instance and all deployed applications meet these requirements:
-
Cloud-init version must be 23.2.2 or later. Run
cloud-init --versionto check. If earlier than 23.2.2, upgrade Cloud-init first — otherwise the instance fails to start after switching. -
All application code and scripts must access instance metadata using Method 1: Security hardening mode.
ImportantIf your code uses the Credentials library to obtain an STS token for SDK configuration, upgrade to a version that supports security hardening mode.
After upgrading, verify that no normal mode access remains. See How do I detect if an ECS instance is being accessed in normal mode?. Then enable Security Hardening Mode for the instance.
Step 2: Enable security hardening mode
Console
-
Go to the ECS console - Instances page. Select a region and a resource group.
-
In the Actions column, click
> Modify Instance Metadata Access Information. -
Turn on the Enable Instance Metadata Access Channel switch, set Instance Metadata Access Mode to Security Hardening Mode, and then click OK.
CLI
Call ModifyInstanceMetadataOptions with HttpEndpoint=enabled and HttpTokens=required to enable Security Hardening Mode. Example:
aliyun ecs ModifyInstanceMetadataOptions \
--region cn-hangzhou \
--RegionId 'cn-hangzhou' \
--InstanceId 'i-bp1******ke' \
--HttpEndpoint enabled \
--HttpTokens requiredAPI
Call ModifyInstanceMetadataOptions with HttpEndpoint=enabled and HttpTokens=required to enable Security Hardening Mode.
After switching, monitor metadata access and application status. If issues occur, revert to Normal And Security Hardening Modes to restore service, then repeat Step 1: Check and upgrade code and dependencies.
Instance metadata details
Metadata is organized in a directory-like hierarchy. Accessing a directory returns its entries or subdirectories. For example, meta-data/instance/ returns instance-name and instance-type.
|
Category |
Metadata |
Description |
Example |
|
Basic instance information |
|
The instance ID. |
|
|
|
The instance name. |
|
|
|
|
The hostname. |
|
|
|
|
The instance type. |
|
|
|
|
The serial number. |
|
|
|
|
The region of the instance. |
|
|
|
|
The zone of the instance. |
|
|
|
|
The Alibaba Cloud account ID of the instance owner. |
|
|
|
|
The value of a specified instance tag. To enable this feature, call ModifyInstanceMetadataOptions and set |
|
|
|
Image information |
|
The image ID used to create the instance. |
|
|
|
The product code of the Alibaba Cloud Marketplace image. |
|
|
|
|
The billing method of the Alibaba Cloud Marketplace image. |
|
|
|
|
The package manager source (such as yum or apt) used by the Linux instance for updates. |
|
|
|
Basic network configuration |
|
The network type. Only VPC is supported. |
|
|
|
The VPC ID of the instance. |
|
|
|
|
The CIDR block of the instance's VPC. |
|
|
|
|
The vSwitch ID of the instance. |
|
|
|
|
The CIDR block of the instance's vSwitch. |
|
|
|
|
The maximum outbound internal bandwidth of the instance type. Unit: Kbit/s. |
|
|
|
|
The DNS configuration. |
|
|
|
|
The NTP server address. |
|
|
|
Primary ENI IP addresses |
|
The MAC address of the instance. For instances with multiple NICs, only the MAC address on eth0 is returned. |
|
|
|
The private IPv4 address of the primary ENI. |
|
|
|
|
The public IPv4 address of the primary ENI of the instance. |
|
|
|
|
The static public IPv4 address or the Elastic IP Address attached to the primary ENI. |
|
|
|
Elastic network interface details |
|
The ENI ID. Replace [mac] with the instance's MAC address from the mac metadata item. The same applies to the following items. |
|
|
|
The VPC ID of the ENI. |
|
|
|
|
The vSwitch ID of the ENI. |
|
|
|
|
The primary private IP address of the ENI. |
|
|
|
|
The private IPv4 addresses assigned to the ENI. |
|
|
|
|
The private IPv4 prefixes assigned to the ENI. |
|
|
|
|
The subnet mask of the ENI. |
|
|
|
|
The IPv4 gateway of the ENI. |
|
|
|
|
The IPv4 CIDR block of the ENI's vSwitch. |
|
|
|
|
The IPv4 CIDR block of the ENI's VPC. |
|
|
|
|
The IPv6 addresses assigned to the ENI. Only for VPC-type instances with IPv6 configured. |
|
|
|
|
The IPv6 prefixes assigned to the ENI. |
|
|
|
|
The IPv6 gateway of the ENI's VPC. |
|
|
|
|
The IPv6 CIDR block of the ENI's vSwitch. Only for VPC-type instances with IPv6 configured. |
|
|
|
|
The IPv6 CIDR block of the ENI's VPC. Only for VPC-type instances with IPv6 configured. |
|
|
|
Disk information |
|
The disk serial number. |
|
|
|
The disk ID. |
|
|
|
|
The disk name. |
|
|
|
Security and credentials |
|
The public key, available only if one was provided at launch. |
|
|
|
The temporary security credentials of the RAM role associated with the instance. Replace [role-name] with the RAM role name. Credentials expire at the time in the Expiration field; call again to obtain new ones. |
|
|
|
Advanced instance attributes |
|
The ECS virtualization solution. Virt 1.0 and Virt 2.0 are supported. |
|
|
|
The internal build number. |
|
|
|
|
The scheduled stop and release time for a spot instance, in UTC+0 format yyyy-MM-ddThh:mm:ssZ. |
|
|
|
Windows-specific configuration |
|
The KMS activation server for Windows instances. |
|
|
|
The update server for Windows instances. |
|
|
|
|
The update status monitoring server for Windows instances. |
|
FAQ
-
What is an SSRF attack, and how does security hardening mode defend against it?
SSRF is a vulnerability where an attacker tricks a server into making unauthorized network requests to access internal systems such as the metadata service or databases. For example, an attacker can submit a URL containing
http://100.100.100.200/latest/meta-data/to trick an application into fetching and returning sensitive metadata.By default, ECS instances allow token-free access (normal mode). Security hardening mode enforces token validation: the client first sends a PUT request for a temporary token, then includes it in GET requests. Because SSRF attacks cannot initiate PUT requests, they cannot obtain a token, effectively blocking unauthorized access.
-
I cannot access instance metadata using commands in security hardening mode. How do I fix this?
Common command errors:
-
The TTL of the instance metadata access credential is out of range (400 - Missing or Invalid Parameters)
The TTL must be 1 to 21,600 seconds. Values outside this range return 400 - Missing or Invalid Parameters.
curl -X PUT "http://100.100.100.200/latest/api/token" -H "X-aliyun-ecs-metadata-token-ttl-seconds: 21700" -
The request contains the X-Forwarded-For header (403 - Forbidden)
curl -X PUT "http://100.100.100.200/latest/api/token" -H "X-Forwarded-For: www.ba****.com" -
The specified instance metadata access credential is invalid (401 - Unauthorized)
curl -H "X-aliyun-ecs-metadata-token: aaa" -v http://100.100.100.200/latest/meta-data/
-
-
What do I do if my high-frequency access to the metadata service is throttled?
The metadata service has rate limits. Retrieve rarely-changing items such as instance-id once at startup and cache them locally with a reasonable TTL.
-
My application stopped working after I changed the instance metadata access mode to security hardening mode. How do I troubleshoot this issue?
An application or script on the instance may still use normal mode. Follow Upgrade an existing instance to check and upgrade them.
-
Can I access the metadata address from a local host?
No.
100.100.100.200is a link-local address reachable only from within an ECS instance over its virtual network interface. Requests from outside the instance cannot be routed to this address. -
What do I do if I cannot select security hardening mode when I create an instance from a custom image?
When creating an ECS instance from a custom Linux image, you may find that Security Hardening Mode is unavailable. This means the image does not meet the requirements. Upgrade the image as follows:
-
Create a temporary instance: Use the custom image to create a temporary ECS instance.
-
Modify the temporary instance: On the temporary instance, perform the following modifications. See Upgrade an existing instance.
-
Upgrade Cloud-init: Upgrade Cloud-init to version 23.2.2 or later.
-
Modify applications and scripts: Update all applications or scripts that use normal mode to security hardening mode.
-
-
Create a new image and update its attributes: Create a new custom image from the instance. Then call ModifyImageAttribute to set
Features.ImdsSupportto `v2`. -
Release resources: Release the temporary instance after the new image is created.
-
-
Which versions of the Credentials tool support security hardening mode?
Earlier versions of Credentials do not support metadata access in security hardening mode. Switching to security hardening mode without upgrading prevents the SDK from obtaining STS tokens, causing service interruptions.
Upgrade the Credentials dependency to a supported version before switching modes:
-
Java: credentials-java version >=
0.3.10. -
Node.js: credentials version >=
2.3.1. -
PHP: credentials version >=
1.2.0. -
Python: alibabacloud_credentials version >=
0.3.6. -
Go: credentials-go version >=
1.3.10.
-
-
How do I detect if an ECS instance is being accessed in normal mode?
Use the following methods to detect and locate processes that access metadata in normal mode.
Method 1: Use CloudMonitor to check for normal mode access
Check ECS metadata monitoring data in the CloudMonitor console to determine whether the instance has been accessed in normal mode.
-
Log on to the CloudMonitor console.
-
In the left-side navigation pane, choose . Search for and go to the ECS Metadata monitoring page.
-
View the Successful Normal Mode Accesses metric for the target instance.
-
If this metric is not 0, the instance is being accessed in normal mode. Find and upgrade the applications using normal mode.
Method 2: Use a Cloud Assistant plugin to locate a specific process
Use a Cloud Assistant plugin to locate processes that access metadata in normal mode.
Supported operating systems
-
Alibaba Cloud Linux 3
-
Alibaba Cloud Linux 3 Pro
-
Anolis OS 8
-
CentOS Stream 8/9
-
CentOS 8
-
Ubuntu: 20/24
-
Debian:10,11,12
-
Fedora 35+
-
AlmaLinux 8/9
-
Rocky Linux 8/9
-
Red Hat Enterprise Linux 8/9
-
For Red Hat, download an RPM package to install Cloud Assistant Agent.
-
SUSE 15.1/15.2/15.3/15.4/15.5/15.6
-
OpenSuse 15.2/15.3/15.4/15.5/15.6
Procedure
-
Install and enable the Cloud Assistant plugin
Log on to the ECS instance and install the monitoring service. This service consumes some instance resources.
# Deploy the monitoring service. sudo acs-plugin-manager --exec --plugin ACS-ECS-ImdsPacketAnalyzer # Check the status of the monitoring service. sudo systemctl status imds_tracer_tool
-
Locate the problematic process Check which processes still access metadata in normal mode. The log shows the process IDs (PIDs).
cat /var/log/imds/imds-trace.* | grep WARNING
-
Analyze and modify Find the applications or scripts corresponding to the PIDs and upgrade them to security hardening mode.
-