Extract the IAM credentials from the Instance Metadata Service (IMDS) for AWS, Azure, or GCP. Uses one dependency (https://github.com/axios/axios). Related to content from SANS SEC510: Public Cloud Security: AWS, Azure, and GCP - http://sec510.com

printCloudCredentials.js

const axios = require('axios')

printAwsCredentials = async () => {
  try {
    const token = await axios({
      method: 'PUT',
      url: 'http://169.254.169.254/latest/api/token',
      headers: {
        'X-aws-ec2-metadata-token-ttl-seconds': 5
      }
    })

    const iamRole = await axios({
      url: 'http://169.254.169.254/latest/meta-data/iam/security-credentials',
      headers: {
        'X-aws-ec2-metadata-token': token.data
      }
    })

    const credentials = await axios({
      url: `http://169.254.169.254/latest/meta-data/iam/security-credentials/${iamRole.data}`,
      headers: {
        'X-aws-ec2-metadata-token': token.data
      }
    })

    console.log(credentials.data)
  } catch (err) {
    console.error('AWS credentials could not be retrieved')
  }
}

printAzureCredentials = async resource => {
  try {
    const token = await axios({
      url: `http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=${resource}`,
      headers: {
        Metadata: true
      }
    })

    console.log(token.data)
  } catch (err) {
    console.error('Azure token could not be retrieved')
  }
}

printGcpCredentials = async () => {
  try {
    const token = await axios({
      url: 'http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token',
      headers: {
        'Metadata-Flavor': 'Google'
      }
    })

    console.log(token.data)
  } catch (err) {
    console.error('GCP token could not be retrieved')
  }
}

printAwsCredentials()
printAzureCredentials('https://storage.azure.com')
printGcpCredentials()