It allows an application running on a VM to securely retrieve information about its environment (e.g., VM size, network configuration, public keys) without needing to authenticate with a username or password.
In modern cloud-native environments, specifically Microsoft Azure, applications often need to communicate with other services securely without hardcoding credentials. This is achieved through and the Instance Metadata Service (IMDS). It allows an application running on a VM
| Encoded | Decoded | |---------|---------| | http-3A-2F-2F | http:// | | 169.254.169.254 | (unchanged) | | -2Fmetadata-2Fidentity-2Foauth2-2Ftoken | /metadata/identity/oauth2/token | | Encoded | Decoded | |---------|---------| | http-3A-2F-2F
An application running on an Azure Virtual Machine with a System-Assigned Managed Identity can use curl to fetch a token to access Azure Key Vault: What is 169
/metadata/identity/oauth2/token is more dangerous than the older /latest/meta-data/ because:
The IP address is a link-local address used by major cloud providers (like Azure, AWS, and GCP) to host their Instance Metadata Service (IMDS) .
To the untrained eye, it looks like a standard API endpoint. To a security professional, it represents a potential vulnerability that could lead to a full cloud environment takeover. What is 169.254.169.254?