Does Azure container instance support Instance metadata /medata/instance

NS 40

When I try to access the Instance Metadata endpoint by execing into the container instance, I get the following error

SandboxHost-638313869729567099:/# curl -v -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
* processing: http://169.254.169.254/metadata/instance?api-version=2021-02-01
*   Trying 169.254.169.254:80...
* connect to 169.254.169.254 port 80 failed: Operation timed out
* Failed to connect to 169.254.169.254 port 80 after 130820 ms: Couldn't connect to server
* Closing connection

Does ACI container support access to /metadata/instance ?

Accepted answer

TP 97,756 Reputation points

2023-10-04T07:14:39.4933333+00:00

Hi Neha,

Based on my tests Azure Container Instances only supports getting tokens via the IMDS metadata/identity/oauth2/token endpoint. In other words, Instance isn't supported.

The other endpoint categories return 404 error if Identity is enabled for the container, if Identity is not enabled for the container then connections to IMDS will fail as in your example.

If you would like to confirm my results, navigate to your container instance -- Identity blade in the portal, turn on system-assigned managed identity, Save, wait a minute, then repeat test in your container.

Please click Accept Answer if the above was useful.

Thanks.

-TP
Please sign in to rate this answer.

1 person found this answer helpful.
NS 40 Reputation points

2023-10-04T10:57:30.73+00:00

Thanks. I have similar observations as mentioned by you while accessing the metadata instance endpoint.

NS 40 Reputation points

2023-10-04T11:13:18.12+00:00

However, I am unable to get the tokens via metadata/identity/oauth2/token .
Can you please confirm if I am missing any config here ?

curl -v 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true -s * Trying 169.254.169.254... * TCP_NODELAY set

TP 97,756 Reputation points

2023-10-04T14:45:16.3+00:00

Hi Neha, please test as shown in screenshot below:

Command I used:

curl -v -s -H Metadata:true http://169.254.169.254/metadata/identity/oauth2/token?resource=https://management.azure.com

Output excerpt:

* Trying 169.254.169.254... * TCP_NODELAY set * Connected to 169.254.169.254 (169.254.169.254) port 80 (#0) > GET /metadata/identity/oauth2/token?resource=https://management.azure.com HTTP/1.1 > Host: 169.254.169.254 > User-Agent: curl/7.58.0 > Accept: */* > Metadata:true > < HTTP/1.1 200 OK < Content-Type: application/json < Date: Wed, 04 Oct 2023 14:39:39 GMT < Content-Length: 1672 < {"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL21hbm

TP 97,756 Reputation points

2023-10-04T15:00:56.07+00:00

@NS I added command above in text form so you can copy/paste.

NS 40 Reputation points

2023-10-05T04:49:55.5766667+00:00

Thanks TP. Do we need to enable Identity to get the access token.
I can get the access token only if identity is enabled on the container.

TP 97,756 Reputation points

2023-10-05T05:08:40.8066667+00:00

@Neha Yes, Identity has to be enabled. Without it you will get no response at all from IMDS, which further reinforces the idea that only token issuance is supported at this time.

This is what I was saying in my answer--without Identity turned on, IMDS is "dead", with it turned on, all the other endpoint categories besides Identity return 404, which means the IMDS webserver is responding, but returning 404 for the "missing" endpoints.

TP 97,756 Reputation points

2023-10-05T07:32:26.49+00:00

@NS Please click Accept Answer on my answer to close up this thread.

Thank you.

NS 40 Reputation points

2023-10-05T10:25:03.5066667+00:00

Thanks for the clarification.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

2 additional answers

vipullag-MSFT 26,316 Reputation points

2023-10-04T06:03:33.9533333+00:00
Hello Neha

Welcome to Microsoft Q&A Platform, thanks for posting your query here.

Yes, ACI container instances support access to the Instance Metadata Service (IMDS) endpoint at http://169.254.169.254/metadata/instance. The error you are seeing suggests that the container instance is unable to connect to the IMDS endpoint. This could be due to a network configuration issue or a firewall rule blocking access to the endpoint.

To troubleshoot this issue, you can try the following steps:

Check the network configuration of the container instance to ensure that it has a network interface and is connected to a network that allows outbound traffic.

Check if there are any firewall rules that are blocking access to the IMDS endpoint. You can try temporarily disabling the firewall to see if that resolves the issue.

Try accessing the IMDS endpoint from a different container instance or a virtual machine in the same network to see if the issue is specific to the container instance.

If you are still unable to access the IMDS endpoint, then i would suggest to open a Azure support for further assistance on this.

Hope this helps.
Please sign in to rate this answer.
NS 40 Reputation points

2023-10-04T10:49:09.26+00:00

Thanks for a quick response.
I have a similar observation as mentioned by TP below.
where the endpoint categories return 404 error if Identity is enabled for the container, if Identity is not enabled for the container then connections to IMDS will fail.
Am I missing some configuration ?

Dixit 5 Reputation points

2023-10-04T15:06:31.25+00:00

SandboxHost-638313869729567099:/# curl -v -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01" * processing: http://169.254.169.254/metadata/instance?api-version=2021-02-01 * Trying 169.254.169.254:80... * connect to 169.254.169.254 port 80 failed: Operation timed out * Failed to connect to 169.254.169.254 port 80 after 130820 ms: Couldn't connect to server * Closing connection

Vishal Bakshi 71 Reputation points

2023-11-02T14:22:52.41+00:00

I have observed that within Azure container apps, not ACI, using User managed identity it can't get tokens for Azure MYSQL Flexible server. As per this MS article https://video2.skills-academy.com/en-us/azure/mysql/single-server/how-to-connect-with-managed-identity, it is supposed to make a request to http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fossrdbms-aad.database.windows.net&client_id=" + ClientId)

The operation within the container to get the access token times out. However, if I assign the same User managed identity to a Windows virtual machine in the same vNET, then it works. Both Container app and Virtual machine are in the same vNET with same outbound IP address. No firewall whatsoever.

Does Azure container app even support getting tokens from ossrdbms-aad.database.windows.net ?
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Ohad Schneider 1 Reputation point Microsoft Employee

2024-08-19T18:58:49.68+00:00

This can happen if you add the managed identity AFTTER creating the container (rather than DURING its creation), see: https://github.com/MicrosoftDocs/azure-docs/issues/61447
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Does Azure container instance support Instance metadata /medata/instance

2 additional answers

Your answer