Last updated: April 29, 2026
The metadata endpoint at 169.254.169.254 is the most important IP address in cloud computing. It serves credentials, user-data, instance identity, and configuration to workloads. It’s reachable from inside the instance (intended) and sometimes from outside (unintended — SSRF). Combined, metadata endpoints turned SSRF from “inconvenience” into “cloud account compromise.”
Why this happens
Cloud instances need credentials to access other services (S3, databases, queues). Managing credentials manually is painful. Cloud providers solved it via instance metadata: instance asks “what’s my role?” — metadata endpoint responds with temporary credentials. Elegant for legitimate use.
The endpoint is at a link-local address (169.254.x.x) — reachable only from within the instance. Workload code fetches http://169.254.169.254/... to get its credentials.
The catastrophe: if the workload has SSRF, the attacker can reach the metadata endpoint through the workload. Temporary credentials for the instance’s role leak out. If the role is broad, cloud compromise follows.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.