# VM metadata

{% note info %}

You can [get](metadata/accessing-metadata.md) direct access (without authentication) to metadata through a special [metadata service](#metadata-formats) available inside the VM instance using the following URL: `http://169.254.169.254`. Compute Cloud within a VM instance is available to all VM instances, regardless of their network settings and internet access.

{% endnote %}

_VM instance_ metadata is metadata (additional data) about your [VM instance](vm.md).

The VM instance metadata service stores metadata in folders as `key-value` pairs. 

You can use metadata to do the following:
* Enable the [cloud-init](https://cloudinit.readthedocs.io/en/latest/index.html) process when creating a VM instance.
* Provide the required information in the `user-data` key to services or applications you run on the VM instance after it is created.
* Get data from inside the VM instance for authentication in Yandex Cloud.

Your VM instance ID, Cloud Marketplace [image](image.md) ID, and a number of other metadata values form a unique [identity document](metadata/identity-document.md) for that VM instance.

## VM instance metadata service parameters {#metadata-formats}

In Yandex Cloud, you can access VM instance metadata in [Google Compute Engine](https://en.wikipedia.org/wiki/Google_Compute_Engine) format (not all fields are supported). This is the most secure and recommended format for working with metadata of a VM instance. You must use the `Metadata-Flavor:Google` HTTP header when [accessing](metadata/accessing-metadata.md) the metadata service.

Compute Cloud VMs support the following VM metadata service settings:

* `gce-http-endpoint`: Provides access to metadata using the Google Compute Engine format. It can be either `enabled` or `disabled`. If set to `disabled`, the metadata request will fail with error `400` (`BadRequest`). The default value is `enabled`.
* `gce-http-token`: Enables using Google Compute Engine metadata to get the [IAM token](../../iam/concepts/users/service-accounts.md) for the service account connected to the VM. It can be either `enabled` or `disabled`. If set to `disabled`, the token request will fail with error `400` (`BadRequest`). The default value is `enabled`.

You can get the current VM instance metadata service parameters together with the [VM information](metadata/accessing-metadata.md#external-access) using the [CLI](../../cli/cli-ref/compute/cli-ref/instance/get.md) and [API](../api-ref/Instance/get.md).

You can configure the metadata service when [creating](../operations/index.md#vm-create) or [updating](../operations/vm-control/vm-update.md) VMs. For more information on how to configure the metadata service, see [this guide](../operations/vm-metadata/setup-metadata-service.md).

## Use cases {#examples}

* [Secure password transmission to an initialization script](../tutorials/secure-password-script/index.md)
* [Secure storage of GitLab CI passwords as Yandex Lockbox secrets](../../tutorials/security/gitlab-lockbox-integration.md)

#### See also {#see-also}

* [Metadata folders](metadata/directories.md)
* [Keys processed in public images Yandex Cloud](metadata/public-image-keys.md)
* [Transferring metadata to VM instances](metadata/sending-metadata.md)
* [Access to VM instance metadata](metadata/accessing-metadata.md)
* [Identity document](metadata/identity-document.md)
* [Instance template](instance-groups/instance-template.md)