In IMDSv1, accessing metadata was a simple, single-step GET request. curl http://169.254.169 Use code with caution.
: Use that token in the header of subsequent metadata requests. Interesting Blog Posts to Read
This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later. curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken
This article explains:
The keyword curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken is more than a technical curiosity. It is a and a blue team alarm bell . In IMDSv1, accessing metadata was a simple, single-step
In the world of cloud computing and cybersecurity, few strings of text evoke as much intrigue and immediate concern as a URL-encoded reference to the link-local IP address 169.254.169.254 . When you encounter a payload like curl-url-http-3A-2F-2F169.254.169.254-2Flatest-2Fapi-2Ftoken , you are not just looking at random characters; you are looking at the digital equivalent of a skeleton key.
: Make a GET request to the desired metadata endpoint, passing the acquired token in the HTTP header. How the Token Request Works Interesting Blog Posts to Read This public link
: IMDSv2 strictly requires a PUT request to generate a token. This prevents simple SSRF attacks, as most basic SSRF vulnerabilities only allow GET requests.
In the original Instance Metadata Service (IMDSv1), an EC2 instance could fetch its metadata—including highly sensitive IAM role credentials—using a simple, stateless HTTP GET request: curl http://169.254.169 Use code with caution.
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/
The token-based approach (v2) is harder to exploit than the request-whatever-you-want approach (v1). AWS allows you to set MetadataResponseHopLimit=1 and HttpTokens=required .