curl -X PUT "http://169.254.169.254/latest/api/token" -H "Content-Type: text/plain"

The specific URL string in the keyword represents the foundational first step of an IMDSv2 query. Here is how the actual command looks and functions in a Linux terminal:

This command fetches a token with a TTL (time to live) of 6 hours (21600 seconds), which can then be used to access other metadata securely.

The primary motivation for IMDSv2 was the mitigation of Server-Side Request Forgery (SSRF).

Once you have established your token, you can query a massive variety of data that is highly useful for bootstrapping and application awareness. Some of the most commonly requested paths include: http://169.254.169

As a developer, system administrator, or simply a tech enthusiast, you've likely encountered the curl command at some point in your journey. curl is a powerful tool used for transferring data to and from a web server using HTTP, HTTPS, SCP, SFTP, TFTP, and more. One of its many applications is interacting with specific URLs to retrieve or send data. A particularly interesting URL that often comes up in discussions about cloud computing, especially with AWS, is http://169.254.169.254/latest/api/token . This article aims to demystify the use of curl with such URLs, focusing on what they are, how they work, and their practical applications.

The api/token endpoint acts as the gatekeeper for instance metadata.

While convenient, this simple request-response architecture became a primary target for attackers exploiting vulnerabilities. If a web application running on an EC2 instance had an SSRF flaw, an external attacker could trick the application into fetching the metadata—including IAM secret keys—and returning it to the attacker. IMDSv2: The Session-Oriented Model

curl http://169.254.169.254/latest/api/token