Accessing metadata from an instance

Before you begin

1. Install the IBM Cloud CLI and the VPC CLI plug-in. For more information, see the CLI prerequisites.

2. After the installation of the VPC CLI plug-in, set the target to generation 2 by running the ibmcloud is target --gen 2 command.

3. Make sure that you created an IBM Cloud VPC.

4. Configure a floating IP so that you can SSH into the virtual servers over the floating IP address.

General procedure to access instance metadata

Table 1 describes the steps that are involved in accessing instance metadata. The information provides the context for each step and links to specific information for completing the step. In an actual environment, steps 3 - 5 would more likely be started by your instance's initialization software at startup or by using cloud-init.

End-to-end procedure for accessing metadata from an instance

1. Log in to IBM Cloud CLI.

2. Go to an existing instance. Use the following command to locate a running instance in which to enable the metadata service. The instance must have a VPC that is associated with it.

   ibmcloud is instance {instance_id}
   

3. List security group rules so you can SSH into the virtual servers over the floating IP address:

   ibmcloud is security-group-rules {security_group_id}
   

4. SSH to get a connection into the virtual server to issue the APIs for the metadata service.

5. Log in to the virtual server. You can be running a stock image or custom image. The metadata service is supported on all stock and custom images, and CPU profiles. Now, the floating IP is assigned. The security groups are in place, and you're now working within the virtual server.

6. Make an API call to the metadata token service to retrieve an instance identity access token. Specify how long the token is valid, for example 3600 seconds (1 hour). In this example, the command is run through the jq parser to format the JSON response. You can choose the parser that you prefer.

   export instance_identity_token=`curl -X PUT "http://169.254.169.254/instance_identity/v1/token?version=2022-03-01"\
     -H "Metadata-Flavor: ibm"\
     -H "Accept: application/json"\
     -d '{
           "expires_in": 3600
         }' | jq -r '(.access_token)'`
   

   The response is the instance identity access token payload.

7. You can now make an API call to the metadata service. The first call is for the initialization information:

   curl -X GET "http://169.254.169.254/metadata/v1/instance/initialization?version=2022-03-01"\
      -H "Accept: application/json"\
      -H "Authorization: Bearer $instance_identity_token"\
      | jq -r
   

   Information in the response shows the SSH key and user data that was specified when the virtual server was provisioned. If you configured passwords, that information is also returned.

8. Access metadata about the instance, such as volume attachments, dedicated hosts, memory, vCPUs, and so on.

   curl -X GET "http://169.254.169.254/metadata/v1/instance?version=2022-03-01"\
      -H "Accept: application/json"\
      -H "Authorization: Bearer $instance_identity_token"\
      | jq -r
   

9. Continue by making calls for other metadata for the instance, SSH keys, and placement groups by issuing REST API calls within the instance. For more information, see Use the instance metadata service.

Next steps

Use the trusted profile for the instance and generate an IAM token from the instance identity access token to other IAM-enabled services. See Using a trusted profile to call IAM-enabled services.