Updated on 2025-08-12 GMT+08:00

Configuring Instance Metadata Options

Scenarios

You can configure instance metadata options to control the metadata behavior of an instance.

Constraints

This function is only available in the LA-Sao Paulo1 region. To use this function, create a service ticket to submit an application in the upper right corner of the management console.

Instance Metadata Options

You can configure instance metadata options when purchasing an ECS or at its runtime.

Instance metadata can be accessed using two methods, as described in Table 1.

Table 1 Instance metadata access

Version

V1 (Traditional)

V2 (Hardening)

Interaction

Request/Response: one message returned upon each interaction

Session: You need to apply for dynamic temporary credentials for authentication and then access the corresponding API.

Authentication

N/A

Instance metadata access requires credentials.

  • Validity period: Access will be denied after credentials expire. You can specify the validity period when applying for credentials.

    The validity period is from 1 minute to 360 minutes. The default period is 360 minutes.

  • Instance verification: Credentials cannot be used for access across instances.
  • Proxy denied: If the request for obtaining credentials contains the x-forwarded-for field, the access is denied.

Security

Attackers can exploit application vulnerabilities in the OS to launch server-side request forgery (SSRF) attacks. This may cause instance metadata leakage.

Metadata access requires valid credentials to intercept the request paths of jump server attacks, thereby intercepting most SSRF attacks.

For security purposes, you can set the instance metadata version only to V2 (hardening). After you enforce the use of V2 (hardening), access using the V1 (traditional) method will be denied to prevent most SSRF risks.

Accessing Metadata from an ECS (Example)

You can access metadata of both Windows and Linux ECSs.

  • Linux:
    curl -X GET http://169.254.169.254/openstack/latest/meta_data.json
  • Windows:
    Invoke-RestMethod -Method GET -Uri http://169.254.169.254/openstack/latest/meta_data.json
  • Linux:
    # Obtain the metadata access credentials. You are advised to set X-Metadata-Token-Ttl-Seconds to 21600 (6 hours).
    TOKEN=`curl -X PUT http://169.254.169.254/meta-data/latest/api/token -H "X-Metadata-Token-Ttl-Seconds:21600"`
    # Access the instance metadata.
    curl -X GET http://169.254.169.254/openstack/latest/meta_data.json -H "X-Metadata-Token:$TOKEN"
  • Windows:
    # Obtain the metadata access credentials and set a validity period. Do not include the header X-Forwarded-For.
    $token = Invoke-RestMethod -Headers @{"X-Metadata-Token-Ttl-Seconds" = "21600"} -Method PUT -Uri http://169.254.169.254/meta-data/latest/api/token
    # Access the instance metadata.
    Invoke-RestMethod -Headers @{"X-Metadata-Token" = $token} -Method GET -Uri http://169.254.169.254/openstack/latest/meta_data.json

Configuring Metadata (When Purchasing an ECS)

  1. Log in to the management console and access the Buy ECS page.

    Set the required parameters to purchase an ECS. For details, see Purchasing an ECS in Custom Config Mode.

  2. In Advanced Settings, set Metadata Access to Enable.
  3. Set Metadata Version to Only V2 (Token).
    Figure 1 Selecting a metadata version
  4. Confirm the settings and click Submit.

Configuring Metadata (At ECS Runtime)

  1. Log in to the management console.
  2. Click in the upper left corner and select a region and project.
  3. Click . Choose Compute > Elastic Cloud Server.
  4. In the ECS list, click the target ECS to go to the ECS details page.
  5. Locate the Metadata Version row and click the edit icon.
    Figure 2 Clicking the edit icon
  6. Select a metadata version and click OK.
    Figure 3 Modifying the metadata version

    After the modification is complete, the new metadata version is displayed on the ECS details page.