Steal Secrets with Azure Instance Metadata Service? Don’t Oversight Role-based Access Control

Azure Instance Metadata Service (IMDS) provides information about the current running virtual machines, such as OS, computer name etc. Administrator can also access similar information from Azure Portal directly, hence IMDS is not commonly used.

IMDS in a nutshell, is a REST API on a non-routable IP address (169.254.169.254), and this endpoint is only accessible from within the VM. Here’s the sample command to retrieve metadata about this VM:

curl -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2020-09-01"

Here’s the sanitized version of response.

In a secured environment, we always advocate least privilege principles, and minimize passwords in clear text form. In Azure, this led to common usage of Azure Key Vault to store secrets, and managed identities for Azure VM, to do away with password.

No doubt, this is a best practice as we eliminate the needs of password, yet we can authenticate the VM to access Azure resources via managed identities and we don’t need to manage the life cycle of this managed identities as it follows Azure VM. Here’s the typical…