Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • IT Operations Management
Table of Contents
Choose your release version
    Home New York IT Operations Management IT Operations Management ITOM Visibility Discovery Running discoveries in your network Cloud Discovery Assume an AWS role for temporary cloud Discovery credentials

    Assume an AWS role for temporary cloud Discovery credentials

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    Assume an AWS role for temporary cloud Discovery credentials

    You can configure the MID Server to assume an AWS role that provides temporary cloud service account credentials. Using AWS credentials eliminates the need to manage account credentials on your instance.

    AWS offers temporary credentials for the following types of service accounts:
    • Discrete account: Standalone account, with no parent account. The is_master_account check box in the Discovery Manager is cleared (false).
    • Master account: Master account that may or may not contain member accounts (sub-accounts). The is_master_account check box in the Discovery Manager is selected (true).
    • Member account: Account that has a parent account. The is_master_account check box in the Discovery Manager is cleared (false).
    Use these features to receive temporary credentials for your accounts:
    • Identity and Access Management (IAM) roles: Provides temporary credentials granted by an AWS role for the discovery of discrete accounts and master accounts. IAM roles are defined in EC2 instance profiles. MID Servers installed on an EC2 instance can use the temporary credentials available to these roles to discover cloud resources.
    • AWS Security Token Service API: Provides temporary credentials for any member account in a master account that does not have a permanent credential specified in the instance. The MID Server assumes a role that provides temporary credentials for a given member account, when discovering cloud resources in that member account. The ServiceNow instance includes a default configuration that provides credentials automatically for all member accounts that belong to an organization controlled by a master account. Advanced configuration allows you to customize the roles and other parameters that a MID Server can assume. You can use this capability to restrict access to certain member accounts, which enhances security.

    AWS IAM roles in EC2 instance profiles

    Amazon EC2 uses an AWS instance profile to create temporary security credentials for discovering cloud resources. These credentials are provided and managed by Identity and Access Management (IAM) roles in the profile and rotate automatically.

    Delegating permissions for a MID Server

    Use IAM roles for a MID Server installed on Amazon EC2 within the AWS cloud that is configured to discover cloud resources in "discrete" accounts. A "discrete" account is one that is not an organization - an account with no member accounts. This method of delegating permissions within the cloud eliminates the need to manage AWS account credentials on your instance. Discovery uses the credentials from AWS if an instance profile is configured in AWS for the EC2 instance.

    The MID Server retrieves the security credentials from AWS that are provided by the role. The MID Server is then granted the permissions for the actions and resources defined for that role through those security credentials. These security credentials are temporary and rotate automatically. AWS generates new credentials at least five minutes before the expiration of the old credentials.

    For instructions on configuring roles for an AWS instance profile, see Amazon Web Services documentation on IAM Roles for Amazon EC2.
    Figure 1. EC2 Instance Configuration with IAM role
    EC2 Instance Configuration with IAM role defined

    Configure the MID Server for AWS IAM roles

    If you configure an IAM role for an AWS instance profile, configure the MID Server to retrieve the temporary security credentials from AWS that are provided by the role.

    Before you begin

    Role required: admin

    Procedure

    1. Navigate to Discovery > MID Servers.
    2. Select a MID Server to use for AWS Cloud Discovery.
      This MID Server must be installed on an EC2 server within the AWS cloud.
    3. Open the Configuration Parameters related list.
    4. Click New.
    5. In the configuration parameter form, select mid.aws.instance_profile_name in the Parameter name field.
    6. Enter the IAM role name from the EC2 Instance Configuration record in the Value field.
    7. Click Submit.
      The new parameter is listed in the MID Server record.
      MID Server configuration parameter for IAM roles

    Assuming member roles with an AWS API

    The MID Server can call an AWS API and use the permanent credentials of an AWS master account (organization) to assume the role of one or more member accounts. By assuming the role, the MID Server receives temporary credentials for the member accounts generated by AWS for that role.

    Assuming member account roles in a large AWS organization is more convenient and offers better security than using large numbers of permanent credentials for all member accounts. Temporary credentials are only acquired on behalf of a member account when there is no permanent credential specified for that member account in the Service Accounts [cmdb_ci_cloud_service_account] table.

    The MID Server uses the AssumeRole action in the AWS Security Token Service API to assume a member account role. Parameters passed to this API determine what additional security restrictions are applied to the role when it accesses AWS resources.

    Default member role configuration

    By default, the MID Server is configured to assume the OrganizationAccountAccessRole, which grants temporary credentials to all the members of a master account. This action occurs automatically if no permanent credentials exist for the member accounts. This configuration does not apply any additional security or restrict access to any resources in member accounts.

    Advanced member role configuration

    You can improve security by defining additional roles that a MID Server can assume. These roles can have access to certain member accounts and determine the actions that Discovery is allowed to take on the resources in those accounts.

    Create records in the Cloud Management AWS Org Assume Role Parameters module that specify the roles and restrictions that apply. Records in the Cloud Service Account AWS Org Assume Role Params [cloud_service_account_aws_org_assume_role_params] table pass their parameters to the AWS Security Token Service API, which then provides the appropriate credentials and permissions to the MID Server.

    How Discovery determines which credentials to use

    Cloud Discovery uses the following logic to determine which credentials to use to discover AWS cloud resources in member accounts:
    1. If permanent credentials are defined for the member account in the Cloud Service Account [cmdb_ci_cloud_service_account] table, Discovery uses those credentials.
    2. If no permanent credentials are defined for the member account, Discovery checks the Cloud Service Account AWS Org Assume Role Params [cloud_service_account_aws_org_assume_role_params] table for any special parameters associated with the member account. If parameters exist in that table, Discovery uses the temporary credentials acquired from specifying a role and its parameters in the AWS Security Token Service API AssumeRole action.
    3. If no special parameters are associated with the member account in the [cloud_service_account_aws_org_assume_role_params] table, Discovery checks that table for parameters associated with the master account. If parameters exist that define a role for the master account, Discovery uses the temporary credentials provided by that role.
    4. If no special parameters are present in the [cloud_service_account_aws_org_assume_role_params] table for either master or member accounts, Discovery uses the defaults defined for the OrganizationAccountAccessRole role.

    Caching of temporary credentials

    By default, temporary credentials for member accounts are cached for 60 minutes. This interval allows the horizontal Discovery process to run multiple times without generating new credentials during each Discovery.

    These MID Server properties control credential caching:
    Property Description
    mid.aws.sts.assume_role.disable_credential_caching Set this property to true to prevent the caching of the temporary AWS credentials.
    • Type: true | false
    • Default: false
    mid.aws.sts.assume_role.credential_ttl_minutes Set the number of minutes you want to cache temporary AWS credentials.
    • Type: integer
    • Default: 60

    Configure a custom AWS member role

    Customize the AWS roles that a MID Server can assume to receive temporary credentials for member accounts. You can configure additional parameters to improve security and customize the way that the member account’s role is assumed when discovering cloud resources. To configure custom AWS member roles with the procedure, see Configure a custom AWS member role.

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      Assume an AWS role for temporary cloud Discovery credentials

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      Assume an AWS role for temporary cloud Discovery credentials

      You can configure the MID Server to assume an AWS role that provides temporary cloud service account credentials. Using AWS credentials eliminates the need to manage account credentials on your instance.

      AWS offers temporary credentials for the following types of service accounts:
      • Discrete account: Standalone account, with no parent account. The is_master_account check box in the Discovery Manager is cleared (false).
      • Master account: Master account that may or may not contain member accounts (sub-accounts). The is_master_account check box in the Discovery Manager is selected (true).
      • Member account: Account that has a parent account. The is_master_account check box in the Discovery Manager is cleared (false).
      Use these features to receive temporary credentials for your accounts:
      • Identity and Access Management (IAM) roles: Provides temporary credentials granted by an AWS role for the discovery of discrete accounts and master accounts. IAM roles are defined in EC2 instance profiles. MID Servers installed on an EC2 instance can use the temporary credentials available to these roles to discover cloud resources.
      • AWS Security Token Service API: Provides temporary credentials for any member account in a master account that does not have a permanent credential specified in the instance. The MID Server assumes a role that provides temporary credentials for a given member account, when discovering cloud resources in that member account. The ServiceNow instance includes a default configuration that provides credentials automatically for all member accounts that belong to an organization controlled by a master account. Advanced configuration allows you to customize the roles and other parameters that a MID Server can assume. You can use this capability to restrict access to certain member accounts, which enhances security.

      AWS IAM roles in EC2 instance profiles

      Amazon EC2 uses an AWS instance profile to create temporary security credentials for discovering cloud resources. These credentials are provided and managed by Identity and Access Management (IAM) roles in the profile and rotate automatically.

      Delegating permissions for a MID Server

      Use IAM roles for a MID Server installed on Amazon EC2 within the AWS cloud that is configured to discover cloud resources in "discrete" accounts. A "discrete" account is one that is not an organization - an account with no member accounts. This method of delegating permissions within the cloud eliminates the need to manage AWS account credentials on your instance. Discovery uses the credentials from AWS if an instance profile is configured in AWS for the EC2 instance.

      The MID Server retrieves the security credentials from AWS that are provided by the role. The MID Server is then granted the permissions for the actions and resources defined for that role through those security credentials. These security credentials are temporary and rotate automatically. AWS generates new credentials at least five minutes before the expiration of the old credentials.

      For instructions on configuring roles for an AWS instance profile, see Amazon Web Services documentation on IAM Roles for Amazon EC2.
      Figure 1. EC2 Instance Configuration with IAM role
      EC2 Instance Configuration with IAM role defined

      Configure the MID Server for AWS IAM roles

      If you configure an IAM role for an AWS instance profile, configure the MID Server to retrieve the temporary security credentials from AWS that are provided by the role.

      Before you begin

      Role required: admin

      Procedure

      1. Navigate to Discovery > MID Servers.
      2. Select a MID Server to use for AWS Cloud Discovery.
        This MID Server must be installed on an EC2 server within the AWS cloud.
      3. Open the Configuration Parameters related list.
      4. Click New.
      5. In the configuration parameter form, select mid.aws.instance_profile_name in the Parameter name field.
      6. Enter the IAM role name from the EC2 Instance Configuration record in the Value field.
      7. Click Submit.
        The new parameter is listed in the MID Server record.
        MID Server configuration parameter for IAM roles

      Assuming member roles with an AWS API

      The MID Server can call an AWS API and use the permanent credentials of an AWS master account (organization) to assume the role of one or more member accounts. By assuming the role, the MID Server receives temporary credentials for the member accounts generated by AWS for that role.

      Assuming member account roles in a large AWS organization is more convenient and offers better security than using large numbers of permanent credentials for all member accounts. Temporary credentials are only acquired on behalf of a member account when there is no permanent credential specified for that member account in the Service Accounts [cmdb_ci_cloud_service_account] table.

      The MID Server uses the AssumeRole action in the AWS Security Token Service API to assume a member account role. Parameters passed to this API determine what additional security restrictions are applied to the role when it accesses AWS resources.

      Default member role configuration

      By default, the MID Server is configured to assume the OrganizationAccountAccessRole, which grants temporary credentials to all the members of a master account. This action occurs automatically if no permanent credentials exist for the member accounts. This configuration does not apply any additional security or restrict access to any resources in member accounts.

      Advanced member role configuration

      You can improve security by defining additional roles that a MID Server can assume. These roles can have access to certain member accounts and determine the actions that Discovery is allowed to take on the resources in those accounts.

      Create records in the Cloud Management AWS Org Assume Role Parameters module that specify the roles and restrictions that apply. Records in the Cloud Service Account AWS Org Assume Role Params [cloud_service_account_aws_org_assume_role_params] table pass their parameters to the AWS Security Token Service API, which then provides the appropriate credentials and permissions to the MID Server.

      How Discovery determines which credentials to use

      Cloud Discovery uses the following logic to determine which credentials to use to discover AWS cloud resources in member accounts:
      1. If permanent credentials are defined for the member account in the Cloud Service Account [cmdb_ci_cloud_service_account] table, Discovery uses those credentials.
      2. If no permanent credentials are defined for the member account, Discovery checks the Cloud Service Account AWS Org Assume Role Params [cloud_service_account_aws_org_assume_role_params] table for any special parameters associated with the member account. If parameters exist in that table, Discovery uses the temporary credentials acquired from specifying a role and its parameters in the AWS Security Token Service API AssumeRole action.
      3. If no special parameters are associated with the member account in the [cloud_service_account_aws_org_assume_role_params] table, Discovery checks that table for parameters associated with the master account. If parameters exist that define a role for the master account, Discovery uses the temporary credentials provided by that role.
      4. If no special parameters are present in the [cloud_service_account_aws_org_assume_role_params] table for either master or member accounts, Discovery uses the defaults defined for the OrganizationAccountAccessRole role.

      Caching of temporary credentials

      By default, temporary credentials for member accounts are cached for 60 minutes. This interval allows the horizontal Discovery process to run multiple times without generating new credentials during each Discovery.

      These MID Server properties control credential caching:
      Property Description
      mid.aws.sts.assume_role.disable_credential_caching Set this property to true to prevent the caching of the temporary AWS credentials.
      • Type: true | false
      • Default: false
      mid.aws.sts.assume_role.credential_ttl_minutes Set the number of minutes you want to cache temporary AWS credentials.
      • Type: integer
      • Default: 60

      Configure a custom AWS member role

      Customize the AWS roles that a MID Server can assume to receive temporary credentials for member accounts. You can configure additional parameters to improve security and customize the way that the member account’s role is assumed when discovering cloud resources. To configure custom AWS member roles with the procedure, see Configure a custom AWS member role.

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login