Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

Assume an AWS role for temporary cloud Discovery credentials

Log in to subscribe to topics and get notified when content changes.

Assume an AWS role for temporary cloud Discovery credentials

You can configure the MID Server to assume an AWS role that provides temporary cloud service account credentials. Using AWS credentials eliminates the need to manage account credentials on your instance.

AWS offers temporary credentials for the following types of service accounts:
  • Discrete account: Standalone account, with no parent account. The is_master_account check box in the Discovery Manager is cleared (false).
  • Master account: Master account that may or may not contain member accounts (sub-accounts). The is_master_account check box in the Discovery Manager is selected (true).
  • Member account: Account that has a parent account. The is_master_account check box in the Discovery Manager is cleared (false).
Use these features to receive temporary credentials for your accounts:
  • Identity and Access Management (IAM) roles: Provides temporary credentials granted by an AWS role for the discovery of discrete accounts and master accounts. IAM roles are defined in EC2 instance profiles. MID Servers installed on an EC2 instance can use the temporary credentials available to these roles to discover cloud resources.
  • AWS Security Token Service API: Provides temporary credentials for any member account in a master account that does not have a permanent credential specified in the instance. The MID Server assumes a role that provides temporary credentials for a given member account, when discovering cloud resources in that member account. The ServiceNow instance includes a default configuration that provides credentials automatically for all member accounts that belong to an organization controlled by a master account. Advanced configuration allows you to customize the roles and other parameters that a MID Server can assume. You can use this capability to restrict access to certain member accounts, which enhances security.

AWS IAM roles in EC2 instance profiles

Amazon EC2 uses an AWS instance profile to create temporary security credentials for discovering cloud resources. These credentials are provided and managed by Identity and Access Management (IAM) roles in the profile and rotate automatically.

Delegating permissions for a MID Server

Use IAM roles for a MID Server installed on Amazon EC2 within the AWS cloud that is configured to discover cloud resources in "discrete" accounts. A "discrete" account is one that is not an organization - an account with no member accounts. This method of delegating permissions within the cloud eliminates the need to manage AWS account credentials on your instance. Discovery uses the credentials from AWS if an instance profile is configured in AWS for the EC2 instance.

The MID Server retrieves the security credentials from AWS that are provided by the role. The MID Server is then granted the permissions for the actions and resources defined for that role through those security credentials. These security credentials are temporary and rotate automatically. AWS generates new credentials at least five minutes before the expiration of the old credentials.

For instructions on configuring roles for an AWS instance profile, see Amazon Web Services documentation on IAM Roles for Amazon EC2.
Figure 1. EC2 Instance Configuration with IAM role
EC2 Instance Configuration with IAM role defined

Configuring member accounts to use temporary credentials

To ensure that Cloud Discovery can discover member accounts with temporary credentials, configure the AWS member accounts with:
  • A role named OrganizationAccountAccessRole.
  • A trusted relationship between the OrganizationAccountAccessRole role and the AWS master account.
  • An attached policy called AdministratorAccess which allows all (*) actions on all (*) AWS resources, as in this example:
    {
      "Version": "2012-10-17",
      "Statement": {
        "Effect": "Allow",
        "Action": "*",
        "Resource": "*"
      }
    }
Important: These procedures are intended for instances on the London or Madrid releases only. To customize these options for advanced security in the New York release and later, see Assuming member roles with an AWS API.

Configure the MID Server for AWS IAM roles

If you configure an IAM role for an AWS instance profile, configure the MID Server to retrieve the temporary security credentials from AWS that are provided by the role.

Before you begin

Role required: admin

Procedure

  1. Navigate to Discovery > MID Servers.
  2. Select a MID Server to use for AWS Cloud Discovery.
    This MID Server must be installed on an EC2 server within the AWS cloud.
  3. Open the Configuration Parameters related list.
  4. Click New.
  5. In the configuration parameter form, select mid.aws.instance_profile_name in the Parameter name field.
  6. Enter the IAM role name from the EC2 Instance Configuration record in the Value field.
  7. Click Submit.
    The new parameter is listed in the MID Server record.
    MID Server configuration parameter for IAM roles

Assuming member roles with an AWS API

The MID Server can call an AWS API and use the permanent credentials of an AWS master account (organization) to assume the role of one or more member accounts. By assuming the role, the MID Server receives temporary credentials for the member accounts generated by AWS for that role.

Assuming member account roles in a large AWS organization is more convenient and offers better security than using large numbers of permanent credentials for all member accounts. Temporary credentials are only acquired on behalf of a member account when there is no permanent credential specified for that member account in the Service Accounts [cmdb_ci_cloud_service_account] table.

The MID Server uses the AssumeRole action in the AWS Security Token Service API to assume a member account role. Parameters passed to this API determine what additional security restrictions are applied to the role when it accesses AWS resources.

Default member role configuration

By default, the MID Server is configured to assume the OrganizationAccountAccessRole, which grants temporary credentials to all the members of a master account. This action occurs automatically if no permanent credentials exist for the member accounts. This configuration does not apply any additional security or restrict access to any resources in member accounts.

Advanced member role configuration

You can improve security by defining additional roles that a MID Server can assume. These roles can have access to certain member accounts and determine the actions that Discovery is allowed to take on the resources in those accounts.

Create records in the Cloud Management AWS Org Assume Role Parameters module that specify the roles and restrictions that apply. Records in the Cloud Service Account AWS Org Assume Role Params [cloud_service_account_aws_org_assume_role_params] table pass their parameters to the AWS Security Token Service API, which then provides the appropriate credentials and permissions to the MID Server.

How Discovery determines which credentials to use

Cloud Discovery uses the following logic to determine which credentials to use to discover AWS cloud resources in member accounts:
  1. If permanent credentials are defined for the member account in the Cloud Service Account [cmdb_ci_cloud_service_account] table, Discovery uses those credentials.
  2. If no permanent credentials are defined for the member account, Discovery checks the Cloud Service Account AWS Org Assume Role Params [cloud_service_account_aws_org_assume_role_params] table for any special parameters associated with the member account. If parameters exist in that table, Discovery uses the temporary credentials acquired from specifying a role and its parameters in the AWS Security Token Service API AssumeRole action.
  3. If no special parameters are associated with the member account in the [cloud_service_account_aws_org_assume_role_params] table, Discovery checks that table for parameters associated with the master account. If parameters exist that define a role for the master account, Discovery uses the temporary credentials provided by that role.
  4. If no special parameters are present in the [cloud_service_account_aws_org_assume_role_params] table for either master or member accounts, Discovery uses the defaults defined for the OrganizationAccountAccessRole role.

Caching of temporary credentials

By default, temporary credentials for member accounts are cached for 60 minutes. This interval allows the horizontal Discovery process to run multiple times without generating new credentials during each Discovery.

These MID Server properties control credential caching:
Property Description
mid.aws.sts.assume_role.disable_credential_caching Set this property to true to prevent the caching of the temporary AWS credentials.
  • Type: true | false
  • Default: false
mid.aws.sts.assume_role.credential_ttl_minutes Set the number of minutes you want to cache temporary AWS credentials.
  • Type: integer
  • Default: 60

Configure a custom AWS member role

Customize the AWS roles that a MID Server can assume to receive temporary credentials for member accounts. You can configure additional parameters to improve security and customize the way that the member account’s role is assumed when discovering cloud resources. To configure custom AWS member roles with the procedure, see Configure a custom AWS member role.

Feedback