Find your people. Pick a challenge. Ship something real. The CreatorCon Hackathon is coming to the Community Pavilion for one epic night. Every skill level, every role welcome. Join us on May 5th and learn more here.

reusing single credential configuration for multiple aws spokes

Go to solution
ApostolosS44578
Giga Contributor

yesterday

I'm really new to the platform and trying to figure out if I can reuse already setup credentials for one aws spoke (ec2) for other aws spokes (s3, cloudformation). 
So far in the instance I'm working, credentials looks like that there were duplicated for ec2 and iam, but I find this strange. I would expect that credentials are set only once and different aliases were using different algorithms so that eventually can be reused in other spokes...

Is my understanding wrong? is the current setup in the instance I'm using strange or is this normal? (there are multiple different aws accounts in the instance and adding a spoke seems to need another set of credentials to be setup.. imagine how that looks if you have like 40 different aws accounts and you need to configure 4 spokes)

Forgive my ignorance on the platform and please point to any documentation/blog entry that might help. 

thanks!!

0 Helpfuls
  • 151 Views
1 ACCEPTED SOLUTION

Go to solution
pavani_paluri
Tera Guru
In response to ApostolosS44578

2 hours ago

You’ve got it mostly right 

 

Credentials & Aliases in ServiceNow AWS Spokes
For each AWS account, you need a set of secrets (Access Key ID + Secret Access Key).
Those secrets are stored in ServiceNow as a Credential record.
Then you create a Connection & Credential Alias that points to that credential.
All AWS spokes (EC2, S3, CloudFormation, IAM, etc.) can reuse the same alias, as long as the permissions on that AWS account cover the actions the spoke needs.

So you don’t need to ask for new secrets for every spoke. You just need one credential per AWS account, and then reuse it across spokes by referencing the same alias.

 

AWS Credential Type Setup
When you create a Credential in ServiceNow and choose AWS Credentials:
You provide the Access Key ID and Secret Access Key.
The Authentication algorithm field is not something you fill in manually — it’s handled internally. For AWS credentials, you can leave that blank.

 

One AWS account = one credential record.
Reuse the alias across spokes. No need to duplicate secrets.
Authentication algorithm field: leave it empty when using “AWS Credentials” — ServiceNow knows how to handle AWS signature authentication automatically.

 

Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for
Kind Regards,
Pavani P

View solution in original post

4 REPLIES 4

Go to solution
pavani_paluri
Tera Guru

5 hours ago

Hi @ApostolosS44578 

 

Your understanding is correct: credentials should normally be set up once per AWS account and reused across spokes.
What you’re seeing is unusual but not “wrong” — it’s just a less efficient setup.
If you’re starting fresh, set up one alias per AWS account and point all spokes to it. That way, scaling to dozens of accounts stays manageable

 

How AWS Spoke Credentials Work in ServiceNow
Each AWS spoke (EC2, S3, CloudFormation, IAM, etc.) needs credentials to talk to AWS.
Credentials are stored in Connection & Credential Aliases.
By design, you can reuse the same credential alias across multiple spokes if the AWS account and permissions are the same.
What you’re seeing (duplicate credentials for EC2 and IAM) usually happens when admins set up each spoke separately instead of reusing an alias. It’s not technically wrong, but it’s redundant.


If you have 40 AWS accounts and configure 4 spokes for each, duplicating credentials would mean 160 separate entries — which is messy.
The cleaner approach is:
Create one credential alias per AWS account.
Reuse that alias across all spokes (EC2, S3, CloudFormation, etc.).
The spoke actions don’t care which alias you use, as long as the alias points to valid AWS credentials with the right permissions.

 

Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for
Kind Regards,
Pavani P

 

Go to solution
ApostolosS44578
Giga Contributor

5 hours ago

Thanks Pavani,

just to be sure I understand the flow. Do I need to ask for a new set of secrets for all the account from aws and ask them to create entries of type "Credential" in the Connection & Credential Aliases?
and if so, when one creates the actual credential and chooses "AWS Credentials" does he/she have to not not fill in the "Authentication algorithm" ?

 

Thanks again!

0 Helpfuls

Go to solution
pavani_paluri
Tera Guru
In response to ApostolosS44578

2 hours ago

You’ve got it mostly right 

 

Credentials & Aliases in ServiceNow AWS Spokes
For each AWS account, you need a set of secrets (Access Key ID + Secret Access Key).
Those secrets are stored in ServiceNow as a Credential record.
Then you create a Connection & Credential Alias that points to that credential.
All AWS spokes (EC2, S3, CloudFormation, IAM, etc.) can reuse the same alias, as long as the permissions on that AWS account cover the actions the spoke needs.

So you don’t need to ask for new secrets for every spoke. You just need one credential per AWS account, and then reuse it across spokes by referencing the same alias.

 

AWS Credential Type Setup
When you create a Credential in ServiceNow and choose AWS Credentials:
You provide the Access Key ID and Secret Access Key.
The Authentication algorithm field is not something you fill in manually — it’s handled internally. For AWS credentials, you can leave that blank.

 

One AWS account = one credential record.
Reuse the alias across spokes. No need to duplicate secrets.
Authentication algorithm field: leave it empty when using “AWS Credentials” — ServiceNow knows how to handle AWS signature authentication automatically.

 

Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for
Kind Regards,
Pavani P

Go to solution
shubhamseth
Giga Sage

2 hours ago

@ApostolosS44578 I agree with you. 

 

Could you give try on below:

 

Reuse Credential Records: You can actually point multiple Connection Aliases to the same Credential record in the Discovery > Credentials table. You don't have to create a new one every time; you can select an existing "AWS Credentials" record when configuring a new spoke's alias.

 

See if this helps.

 

✔️ If this solves your issue, please mark it as Correct.


✔️ If you found it helpful, please mark it as Helpful.



Shubham Jain