Azure Instance Metadata Service (IMDS).

Owned by Roger Cruz, created
Last updated: Jan 24, 2022
1 min read

 

Intro

 

Documentation

 

Tips and Tidbits

  • Azure resources that support managed identities expose an internal IMDS endpoint that the client can use to request an access token

  • http://169.254.169.254/metadata/identity/oauth2/token The managed identities for Azure resources endpoint for the Instance Metadata Service

  • How to leverage a Service Fabric application's managed identity to access Azure services

    • https://localhost:2377/metadata/identity/oauth2/token The managed identity endpoint for Service Fabric applications, provided via the IDENTITY_ENDPOINT environment variable.

 

 

Prorgramming

// Build request to acquire managed identities for Azure resources token HttpWebRequest request = (HttpWebRequest)WebRequest.Create("http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"); request.Headers["Metadata"] = "true"; request.Method = "GET"; try { // Call /token endpoint HttpWebResponse response = (HttpWebResponse)request.GetResponse(); // Pipe response Stream to a StreamReader, and extract access token StreamReader streamResponse = new StreamReader(response.GetResponseStream()); string stringResponse = streamResponse.ReadToEnd(); JavaScriptSerializer j = new JavaScriptSerializer(); Dictionary<string, string> list = (Dictionary<string, string>) j.Deserialize(stringResponse, typeof(Dictionary<string, string>)); string accessToken = list["access_token"]; }

 

GET 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' HTTP/1.1 Metadata: true JsonConvert.DeserializeObject<Dictionary<string,string>>(payload);