Help Center/ Bare Metal Server/ User Guide/ Instances/ User Data and Metadata/ Configuring Instance Metadata Options
Updated on 2025-11-28 GMT+08:00
View PDF
Share

Configuring Instance Metadata Options

Scenarios

You can configure instance metadata options to control the metadata behavior of an instance.

Constraints

This function is only available in the LA-Sao Paulo1 region.

Instance Metadata Options

You can configure instance metadata options when purchasing a BMS or at its runtime.

Instance metadata can be accessed using two methods, as described in Table 1.

Table 1 Instance metadata access

Version

V1 (Traditional)

V2 (Hardening)

Interaction

Request/Response: one message returned upon each interaction

Session: You need to apply for dynamic temporary credentials for authentication and then access the corresponding API.

Authentication

N/A

Instance metadata access requires credentials.

  • Validity period: Access will be denied after credentials expire. You can specify the validity period when applying for credentials.

    The validity period is from 1 minute to 360 minutes. The default period is 360 minutes.

  • Instance verification: Credentials cannot be used for access across instances.
  • Proxy denied: If the request for obtaining credentials contains the x-forwarded-for field, the access is denied.

Security

Attackers can exploit application vulnerabilities in the OS to launch server-side request forgery (SSRF) attacks. This may cause instance metadata leakage.

Metadata access requires valid credentials to intercept the request paths of jump server attacks, thereby intercepting most SSRF attacks.

For security purposes, you can set the instance metadata version only to V2 (hardening). After you enforce the use of V2 (hardening), access using the V1 (traditional) method will be denied to prevent most SSRF risks.

Accessing Metadata from a BMS (Example)

You can access metadata of both Windows and Linux BMSs.

V1 (Traditional)

  • Linux: 
    curl -X GET http://169.254.169.254/openstack/latest/meta_data.json
  • Windows: 
    Invoke-RestMethod -Method GET -Uri http://169.254.169.254/openstack/latest/meta_data.json

V2 (Hardening)

  • Linux: 
    # Obtain the metadata access credentials. You are advised to set X-Metadata-Token-Ttl-Seconds to 21600 (6 hours).
TOKEN=`curl -X PUT http://169.254.169.254/meta-data/latest/api/token -H "X-Metadata-Token-Ttl-Seconds:21600"`
# Access the instance metadata.
curl -X GET http://169.254.169.254/openstack/latest/meta_data.json -H "X-Metadata-Token:$TOKEN"
  • Windows: 
    # Obtain the metadata access credentials and set a validity period. Do not include the header X-Forwarded-For.
$token = Invoke-RestMethod -Headers @{"X-Metadata-Token-Ttl-Seconds" = "21600"} -Method PUT -Uri http://169.254.169.254/meta-data/latest/api/token
# Access the instance metadata.
Invoke-RestMethod -Headers @{"X-Metadata-Token" = $token} -Method GET -Uri http://169.254.169.254/openstack/latest/meta_data.json

Configuring Metadata (When Purchasing a BMS)

  1. Log in to the BMS console and access the Buy BMS page.

    Set the required parameters to purchase a BMS. For details, see Creating a Common BMS.

  2. In Advanced Settings, set Metadata Access to Enable.
  3. Set Metadata Version to Only V2 (Token).
    Figure 1 Setting the metadata version
  4. Check the settings and click Next: Confirm. Complete the BMS creation.

Configuring Metadata (At BMS Runtime)

  1. Log in to the BMS console and go to the BMS list.
  2. In the BMS list, click the BMS name to go to its details page.
  3. Locate the Metadata Version row and click the edit icon.
    Figure 2 Clicking the edit icon
  4. Select a metadata version and click OK.
    Figure 3 Modifying the metadata version

    After the modification is complete, the new metadata version is displayed on the BMS details page.

Parent topic: User Data and Metadata