ServiceNow to AWS Lambda Integration Using OIDC Authentication
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi everyone,
I'm currently investigating an integration pattern between ServiceNow and AWS Lambda as part of an account deletion automation initiative.
The current architectural preference is to avoid long-lived AWS IAM user credentials and instead use a more secure federated authentication approach.
We're evaluating whether ServiceNow can securely invoke AWS Lambda using an OIDC-based authentication model, ideally through Integration Hub and the AWS Lambda Spoke.
Some of the questions we're trying to answer are:
Has anyone successfully implemented direct OIDC authentication between ServiceNow and AWS for Lambda invocation?
Does the AWS Lambda Spoke support OIDC federation, or does it still require AWS Access Key / Secret Key credentials?
If direct OIDC is not supported, what patterns have you used to avoid long-lived AWS credentials?
Has anyone deployed a MID Server within AWS (EC2 or EKS) and used its IAM role to invoke Lambda functions?
Are there any recommended architectures or lessons learned for ServiceNow → AWS Lambda integrations in security-conscious environments?
Any insights, documentation references, or real implementation experiences would be greatly appreciated.
Thanks in advance.
- Labels:
-
Architect
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
Hi everyone,
Following my earlier investigation into ServiceNow to AWS Lambda integrations, we've confirmed that the AWS Lambda Spoke appears to rely on AWS IAM-based credentials and does not natively support OIDC-based outbound authentication.
Due to security requirements, our preferred approach is to avoid IAM users, long-lived AWS access keys, and static credentials stored in ServiceNow. We are therefore evaluating an alternative architecture where ServiceNow authenticates using OAuth/OIDC and invokes AWS through API Gateway.
The proposed design is:
ServiceNow → OIDC Identity Provider → AWS API Gateway → AWS Lambda
The current plan is to configure an OAuth/OIDC Application Registry in ServiceNow using the Client ID, Client Secret, OAuth OIDC Provider Configuration, and OIDC Metadata URL provided by the enterprise Identity Provider. The Application Registry would be associated with an outbound REST Message. When a Flow Designer executes, ServiceNow would obtain or reuse a valid OAuth access token and include it in the Authorization header when invoking AWS API Gateway.
AWS API Gateway would be configured with a JWT Authorizer. Lambda would perform the required business logic and return a response to ServiceNow.
We are also considering a variant where the REST Message is routed through a MID Server for environments requiring additional network controls. In that scenario, the MID Server would act only as a transport layer and would not participate in authentication or token generation.
Has anyone implemented a similar ServiceNow → API Gateway → Lambda pattern using OAuth/OIDC authentication? From a ServiceNow architecture perspective, does this approach look correct, or are there any gaps, limitations, or best practices that we should consider around Application Registry configuration, OAuth token management, API Gateway JWT validation, MID Server routing, or Flow Designer integration?
Any feedback from teams that have implemented this pattern in production would be greatly appreciated.
Thanks.
