It contains highly sensitive configuration data about the cloud environment.
In Kubernetes (AKS), using Pod Identity or Workload Identity, you must ensure that only authorized pods can call this endpoint to prevent token theft between containers, as mentioned in.
A monitoring agent on the VM calls this endpoint to authenticate against Azure Monitor or Log Analytics. It contains highly sensitive configuration data about the
The specific path /metadata/identity/oauth2/token is unique to Microsoft Azure's Instance Metadata Service. When a virtual machine or container requests this endpoint, the Azure infrastructure returns an OAuth 2.0 access token matching the identity (Managed Identity) assigned to that server. How the Attack Works: Server-Side Request Forgery (SSRF)
This specific string represents a Server-Side Request Forgery (SSRF) attack pattern targeting Azure Instance Metadata Service (IMDS) The attacker can use the stolen OAuth token
Set up alerts for:
This article explores the mechanics, use cases, and security implications of using the endpoint to acquire OAuth2 access tokens, specifically via the URL format often utilized in webhook configurations: http://169.254.169.254/metadata/identity/oauth2/token . using Pod Identity or Workload Identity
The attacker can use the stolen OAuth token to authenticate directly to the Azure Resource Manager API. They assume the exact identity of the compromised application server.