API Service Graph Connector for AWS API Gateway: The Innovation Lab Release

vNick
ServiceNow Employee
ServiceNow Employee
‎05-30-2024 01:06 PM

The API Service Graph Connector for AWS API Gateway has been released into the innovation lab to get early feedback on the data mappings and relationships into the CMDB.  AWS API Gateway has two sets of API inventory.  REST APIs are gathered with one set of queries, and HTTP and Websocket APIs are gathered with a second set of queries.  This integration collects both sets of inventory.

 

One requirement for setting up the integration with the innovation lab release is to have an access key and secret key for an IAM user in the same account as the API Gateway where APIs are defined.  Another requirement is to have an IAM role defined for the user to assume the role that can make queries to gather the APIs.  As we move to a more generally available version of the integration we will introduce support to assume roles from delegate accounts to member accounts, but for this release we are only supporting a single account setup.  Below is an example role that can be defined in AWS and used in the setup of the connector.

 

Minimum permissions required:

 

vNick_0-1716929183059.png

Example IAM role permissions

 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ServiceNowAPIGatewayReadOnly",
            "Effect": "Allow",
            "Action": [
                "apigateway:GET"
            ],
            "Resource": "arn:aws:apigateway:*::/*"
        }
    ]
}

 

A trust must also be established for the access key and secret key user created for the integration.  The IAM role needs to add a statement for the user similar to the following "LocalIAM" section (the federated section may exist if your organization uses single sign-on to AWS accounts but it is not necessary for the role to operate):

 

vNick_1-1716929342845.png

Example IAM role trust

 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<account id>:saml-provider/Okta"
            },
            "Action": "sts:AssumeRoleWithSAML",
            "Condition": {
                "StringEquals": {
                    "SAML:aud": "https://signin.aws.amazon.com/saml"
                }
            }
        },
        {
            "Sid": "LocalIAM",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account id>:user/<username>"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

 

Once you have the access key, secret key, account ID, regions in the account where APIs are defined, and the STS role defined, you can perform the Setup of the connector and specify these in the properties definition step.

 

vNick_2-1716929773943.png

Integration setup properties

Once all the properties are set, click the Test Connection related link and you should be returned a 200 success code.  After a successful connection has been made, then you can schedule to import or run it once to test the data load.  Other connections can also be made to other accounts by adding "instances" of the connector.

0 Helpfuls
  • 963 Views
2 Comments