systemd-imdsd@.service, systemd-imdsd, systemd-imdsd.socket, systemd-imdsd-early-network.service — Cloud IMDS (Instance Metadata Service) client
systemd-imdsd@.service
systemd-imdsd.socket
systemd-imdsd-early-network.service
/usr/lib/systemd/systemd-imdsd
systemd-imdsd@.service is a system service that provides local access to IMDS (Instance Metadata Service; or equivalent) functionality, as provided by many public clouds.
The service provides a Varlink IPC interface via
/run/systemd/io.systemd.InstanceMetadata to query IMDS fields.
systemd-imdsd-early-network.service is a system service that generates a
systemd-networkd.service(8)
compatible
systemd.network(5) file
for configuring the early-boot network in order to be able to contact the IMDS endpoint.
The systemd-imds(1) tool may be used to query information from this service.
The IMDS endpoint is typically determined automatically via hwdb(7) records, but can also be configured explicitly via the kernel command line, via the following options:
systemd.imds.network=¶Takes one of "off", "locked",
"unlocked". Controls whether and how to set up networking for IMDS endpoint
access. Unless set to "off" early boot networking is enabled, ensuring that the
IMDS endpoint can be reached. If set to "locked" (the default) direct access to
the IMDS endpoint by regular unprivileged processes is disabled via a "prohibit" route, so that any
access must be done through systemd-imdsd@.service or its associated tools. If
set to "unlocked" this "prohibit" route is not created, and regular unprivileged
processes can directly contact IMDS.
systemd.imds.vendor=¶A short string identifying the cloud vendor.
Example:
systemd.imds.vendor=foobarcloud
systemd.imds.token_url=¶If a bearer token must be acquired to talk to the IMDS service, this is the URL to acquire it from.
systemd.imds.refresh_header_name=¶Takes a HTTP header field name (excluding the ":") that declares the header
field for passing the TTL value (in seconds) to the HTTP server when acquiring a token. Only
applies if systemd.imds.token_url= is set too.
systemd.imds.data_url=¶Takes the base URL to acquire the IMDS data from (the IMDS "endpoint"). All data fields are
acquired from below this URL. This URL should typically not end in "/".
The data URLs are concatenated from this base URL, the IMDS "key" and the suffix configured
via systemd.imds.data_url_suffix= below. Well-known IMDS "keys" can be
configured via the systemd.imds.key=* options below.
Example:
systemd.imds.data_url=http://169.254.169.254/metadata
systemd.imds.data_url_suffix=¶If specified, this field is appended to the end of the data URL (after appending the IMDS "key" to the data base URL), see above.
Example:
systemd.imds.data_url_suffix=?api-version=2025-04-07&format=text
systemd.imds.token_header_name=¶Takes a HTTP header field name (excluding the ":") that declares the header
field to pass the bearer token acquired from the token URL (see above) in. Only applies if
systemd.imds.token_url= is set too.
systemd.imds.extra_header=¶Takes a full HTTP header expression (both field name and value, separated by a colon
":") to pass to the HTTP server when requesting data. May be used multiple times
to set multiple headers.
Example:
systemd.imds.extra_header=Metadata:true
systemd.imds.address_ipv4=¶Configures the IPv4 address the IMDS endpoint is contacted on. This should typically be the
IP address also configured via systemd.imds.data_url= (if IPv4 is used) and is
used to set up IP routing.
Example:
systemd.imds.address_ipv4=169.254.169.254
systemd.imds.address_ipv6=¶Configures the IPv6 address the IMDS endpoint is contacted on. This should typically be the
IP address also configured via systemd.imds.data_url= (if IPv6 is used) and is
used to set up IP routing.
systemd.imds.key.hostname=, systemd.imds.key.region=, systemd.imds.key.zone=, systemd.imds.key.ipv4_public=, systemd.imds.key.ipv6_public=, systemd.imds.key.ssh_key=, systemd.imds.key.userdata=, systemd.imds.key.userdata_base=, systemd.imds.key.userdata_base64=¶Configures strings to concatenate to the data base URL (see above) to acquire data for
various "well-known" fields. These strings must begin with a "/". They should
return the relevant data in plain text.
A special case are the three "userdata" keys: the option
systemd.imds.key.userdata_base= should be used if the IMDS service knows a
concept of multiple userdata fields, and a field identifier thus still needs to be appended to the
userdata base URL. The option systemd.imds.key.userdata= should be used if only
a single userdata field is supported. The option systemd.imds.key.userdata_base64=
should be used in the same case, but only if the userdata field is encoded in Base64.
Example:
systemd.imds.key.hostname=/instance/compute/osProfile/computerName
systemd-imdsd@.service supports the service credentials logic as implemented by
ImportCredential=/LoadCredential=/SetCredential=
(see systemd.exec(5) for
details). The following credentials are used when passed in:
imds.vendor, imds.vendor_token, imds.refresh_header_name, imds.data_url, imds.data_url_suffix, imds.token_header_name, imds.extra_header, imds.extra_header2, imds.extra_header3, imds.extra_header…, imds.address_ipv4, imds.address_ipv6, imds.key_hostname, imds.key_region, imds.key_zone, imds.key_ipv4_public, imds.key_ipv6_public, imds.key_ssh_key, imds.key_userdata, imds.key_userdata_base, imds.key_userdata_base64¶The various IMDS endpoint parameters. The semantics are very close to those configurable via kernel command line, see above for the matching list.