Skip to content

epomatti/azure-imds

BranchesTags

Repository files navigation

Azure IMDS

Using the Instance Metadata Service (IMDS) access tokens on Azure.

Set up the .auto.tfvars config:

cp config/template.tfvars .auto.tfvars

Create the infrastructure:

terraform init
terraform apply -auto-approve

The VM will have a System-Assigned Managed Identity created, and permissions are set up to the storage.

To use IMDS, log into the VM via SSH and interact with it.

💡 Check the documentation for all endpoints and options.

curl -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2023-07-01" | jq

Now proceed to acquire a token using the managed identity using curl:

curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://stimdscxv891xsdf1d.blob.core.windows.net/' -H Metadata:true -s

Authorize the request with Azure Entra ID.

Call the blob API such as with a Get Blob operation:

curl -X GET -H 'Authorization: Bearer <access_token>' \
    -H "x-ms-date: Fri, 22 Dec 2023 16:10:00 GMT" \
    -H "x-ms-version: 2023-11-03" \
    'https://stimdscxv891xsdf1d.blob.core.windows.net/content/test.txt'

If having issues with the token audience, check the token here https://jwt.ms/.

About

Azure Instance Metadata Service

Topics

metadata oauth azure terraform blob azure-blob azure-security imds entra azure-imds

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages