ServiceNow to AWS Lambda Integration Using OIDC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 hours ago
Hi everyone,
Following my earlier investigation into ServiceNow to AWS Lambda integrations, we've confirmed that the AWS Lambda Spoke appears to rely on AWS IAM-based credentials and does not natively support OIDC-based outbound authentication.
Due to security requirements, our preferred approach is to avoid IAM users, long-lived AWS access keys, and static credentials stored in ServiceNow. We are therefore evaluating an alternative architecture where ServiceNow authenticates using OAuth/OIDC and invokes AWS through API Gateway.
The proposed design is:
ServiceNow → OIDC Identity Provider → AWS API Gateway → AWS Lambda
The current plan is to configure an OAuth/OIDC Application Registry in ServiceNow using the Client ID, Client Secret, OAuth OIDC Provider Configuration, and OIDC Metadata URL provided by the enterprise Identity Provider. The Application Registry would be associated with an outbound REST Message. When a Flow Designer executes, ServiceNow would obtain or reuse a valid OAuth access token and include it in the Authorization header when invoking AWS API Gateway.
AWS API Gateway would be configured with a JWT Authorizer. Lambda would perform the required business logic and return a response to ServiceNow.
We are also considering a variant where the REST Message is routed through a MID Server for environments requiring additional network controls. In that scenario, the MID Server would act only as a transport layer and would not participate in authentication or token generation.
Has anyone implemented a similar ServiceNow → API Gateway → Lambda pattern using OAuth/OIDC authentication? From a ServiceNow architecture perspective, does this approach look correct, or are there any gaps, limitations, or best practices that we should consider around Application Registry configuration, OAuth token management, API Gateway JWT validation, MID Server routing, or Flow Designer integration?
Any feedback from teams that have implemented this pattern in production would be greatly appreciated.
Thanks.
- Labels:
-
Architect
