Contact UsGet started

Getting VM metadata

Written by
Updated at May 5, 2025

The metadata service allows you to read metadata from both outside and inside VM instances.

Accessing metadata from outside the VM instance

This method provides access to all metadata folders as well as some keys in them:

In Compute Cloud, the Virtual machines page gives a list of VMs in the folder and brief information on each of them.

For more information about a VM, click the row with its name.

Here is a description of the available tabs:

  • Overview shows general information about the VM, including the IP addresses assigned to it.
  • Disks gives information about the disks attached to the VM.
  • File storages provides information about the connected file storages.
  • Operations lists operations on the VM and its resources, such as disks.
  • Monitoring shows information about VM resource consumption. You can only get this info from the management console or from within the VM.
  • Serial console provides access to the serial console if enabled when creating the VM.
  • Serial port provides information that the VM outputs to the serial port. To get this information via the API or CLI, follow Getting the serial port output.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. See the description of the command for getting the serial port output:

    yc compute instance get --help

  2. Select a VM, e.g., first-instance:

    yc compute instance list

    Result:

    +----------------------+-----------------+---------------+---------+----------------------+
|          ID          |       NAME      |    ZONE ID    | STATUS  |     DESCRIPTION      |
+----------------------+-----------------+---------------+---------+----------------------+
| fhm0b28lgfp4******** | first-instance  | ru-central1-a | RUNNING | my first vm via CLI  |
| fhm9gk85nj7g******** | second-instance | ru-central1-a | RUNNING | my second vm via CLI |
+----------------------+-----------------+---------------+---------+----------------------+

  3. Get basic information about the VM:

    yc compute instance get first-instance

    To get VM information with metadata, use the --full flag:

    yc compute instance get --full first-instance

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

  1. In the Terraform configuration file, define the parameters of the resources you want to create:

    data "yandex_compute_instance" "my_instance" {
  instance_id = "<VM_ID>"
}

output "instance_external_ip" {
  value = "${data.yandex_compute_instance.my_instance.network_interface.0.nat_ip_address}"
}

    Where:

    • data "yandex_compute_instance": Description of the data source to get VM information from:
      • instance_id: VM ID.
    • output "instance_external_ip": Public IP address of the VM to return in the output:
      • value: Returned value.

    For more information about the yandex_compute_instance data source parameters, see the relevant provider documentation.

  2. Create the resources:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.

    3. Run the command:

      terraform plan

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply

    5. Confirm the changes: type yes in the terminal and press Enter.

    Terraform will create all the required resources and display the output variable values in the terminal. To check the results, run this command:

    terraform output instance_external_ip

    Result:

    instance_external_ip = "158.160.50.228"

To get basic information about a VM, use the get REST API method for the Instance resource or the InstanceService/Get gRPC API call.

The basic information does not include any custom metadata provided when creating or updating the VM. To get the information along with the metadata, specify view=FULL in the parameters.

Accessing metadata from inside the VM instance

You can directly access the VM metadata from within the VM. This method provides access to all the metadata folders as well as all the keys inside them.

You can get direct access (without authentication) to metadata from inside the VM through a special metadata service. The metadata service inside the VM instance is available at http://169.254.169.254.

All authenticated VM users can access the metadata service without any restrictions. You cannot restrict an individual VM user's access to metadata.

You can test the metadata service using cURL by first connecting to the VM via the ssh protocol:

curl \
  --header Metadata-Flavor:Google \
  169.254.169.254

The metadata service will respond with a list of available metadata versions, for example:

1.0
2007-01-19
2007-03-01
...
2023-02-15
2023-05-10
latest

We recommend always using the latest metadata version.

HTTP request

GET http://169.254.169.254/computeMetadata/v1/instance/
  ? alt=<json|text>
  & recursive=<true|false>
  & wait_for_change=<true|false>
  & last_etag=<string>
  & timeout_sec=<int>
Metadata-Flavor: Google

Where:

  • alt: Response format. The default value is text.
  • recursive: If true, it returns all values in the tree recursively. The default value is false.
  • wait_for_change: If true, this response will be returned only when one of the metadata parameters is modified. The default value is false.
  • last_etag: ETag from the previous response to a similar request. Use if wait_for_change="true".
  • timeout_sec: Maximum request timeout. Use if wait_for_change="true".

In response, the service will return the current values ​​of the computeMetadata folder metadata keys.

Request examples

Getting an FQDN

To get the full name of the VM (FQDN) from the computeMetadata folder, connect to the VM and send the following request:

curl \
  --header Metadata-Flavor:Google \
  169.254.169.254/computeMetadata/v1/instance/hostname

Getting VM metadata in an easy-to-read format

To get metadata in an easy-to-read format, connect to the VM and send the following request using the jq utility:

  curl \
    --header Metadata-Flavor:Google \
    169.254.169.254/computeMetadata/v1/instance/?recursive=true | \
    jq -r '.'

Getting an identity document

To get an identity document from the computeMetadata folder, connect to the VM and send the following request:

curl \
  --header Metadata-Flavor:Google \
  169.254.169.254/computeMetadata/v1/instance/vendor/identity/document

Getting data from the user-data folder

To get the metadata from the user-data folder, connect to the VM and send the following request:

curl \
  --header Metadata-Flavor:Google \
  169.254.169.254/latest/user-data

The metadata service will return the response in YAML format:

#cloud-config
datasource:
 Ec2:
  strict_id: false
ssh_pwauth: no
users:
- name: admin
  sudo: ALL=(ALL) NOPASSWD:ALL
  shell: /bin/bash
  ssh_authorized_keys:
  - ssh-ed25519 AAAAC3Nza******l0pTWGO

If you want to get only a particular key (e.g., user name) in the output, use the yq tool.

curl \
  --silent \
  --fail \
  --header Metadata-Flavor:Google \
  169.254.169.254/latest/user-data | \
  yq .users[].name

Getting an IAM token for a service account

When sending Yandex Cloud API requests, you need an IAM token issued for the service account. You can obtain such an IAM token using the metadata service from within your VM. To do this, a service account must be linked to the VM.

To get the IAM token from the computeMetadata folder, connect to the VM and send the following request:

curl \
  --silent \
  --fail \
  --header Metadata-Flavor:Google \
  169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token | \
  jq -r .access_token

Getting data from the user-data folder from outside the VM

To get metadata from outside a VM, use the Yandex Cloud CLI tool:

yc compute instance get my-vm --full --jq .metadata

The metadata service will return the response in JSON format:

{
  "install-unified-agent": "0",
  "serial-port-enable": "0",
  "ssh-keys": "admin:ssh-ed25519 AAAAC3N******l0pTWGO admin@my.domain\n",
  "user-data": "#cloud-config\ndatasource:\n Ec2:\n  strict_id: false\nssh_pwauth: no\nusers:\n- name: admin\n  sudo: ALL=(ALL) NOPASSWD:ALL\n  shell: /bin/bash\n  ssh_authorized_keys:\n  - ssh-ed25519 AAAAC3N******l0pTWGO"
}

For more information on how to get the values of variables and Yandex Lockbox secrets provided through metadata, see Creating a VM with metadata from environment variables and Creating a VM instance with access to a Yandex Lockbox secret.

Previous
Configuring metadata service parameters
Next
Getting a VM instance identity document