cloudnx.in

Docs · Services

Workload Identity (IMDSv2-style)

Per-VM service principals at 169.254.169.254 — your app fetches short-lived JWTs without baked-in credentials.

Tutorial

1. Grant a VM a service principal

Bind a policy set to the VM via CRN. The reconciler installs the NAT DNAT within seconds.

cloudnx iam principal create \
  --crn crn:cloudnx:compute:eu-west-1:12:instance/<id> \
  --policy CloudNxStorageReadOnly

2. Fetch a token from inside the VM

IMDSv2-style: PUT to mint a session token, then GET with that token as a header. Pure HTTP, no SDK required.

TOKEN=$(curl -s -X PUT 'http://169.254.169.254/latest/api/token' \
  -H 'X-cnx-metadata-token-ttl-seconds: 900')

curl -H "X-cnx-metadata-token: $TOKEN" \
  http://169.254.169.254/latest/iam/security-credentials/

Pricing

Free.

CLI

All operations have a cloudnx iam principal subcommand. Run cloudnx iam principal --help for the full surface.

PreviousMonitoring & Logs
Next First Postgres in 10 min