ServiceGraph AWS Connector - Using MID Server

Murali Reddy1 · ‎12-13-2021

The Service Graph Connector for AWS is designed to connect directly with AWS APIs without using MID Server. However, for some clients, they may need to use MID Server for security reasons as a proxy. The steps described below needs to be performed after installing Service Graph Connector for AWS.

Please note: We have seen from customers seeing slowness/timeout in getting data. It would be good to whitelist the AWS URLs and get data faster into the SN CMDB.

Assumptions:

MID Server is already setup
MID server is able to ping AWS APIs

Required Components:

IntegrationHub Flow Designer

Steps:

1. Navigate to MID Server --> Applications.

2. Give a name and select the MID server as shown below.

*Note: SD Lab Mid is the mid server used for this demonstration. You may have different naming for your MID Server and you need to select appropriate MID Server.

3. Navigate to MID Server --> Capabilities. Create a new MID Server Capability. Select the MID Server as shown below and save.

4. Navigate to IntegrationHub --> Connections & Credentials --> Authentication Algorithms. Select “SG-AWS Auth Algo”.

5. In the Mid Authentication Script, select “RequestAuthAWSV4MIDSigner

6. Navigate to Flow Designer  Actions and search for the SG-AWS Components.

7. Check on Use MID, and select the MID selections as shown below. Repeat for each of the APIs listed for AWS.

Please note that the Credential Alias should be present only for these Flow Actions.

#	Flow Action Name	Internal Name
1	SG-AWS-Organizations-DescribeOrganization	sgawsorganizationsdescribeorganization
2	SG-AWS-EC2-DescribeRegions	sgawsdsec2describeregions
3	SG-AWS-STS-AssumeRole	sgawsstsassumerole
4	SG-AWS-EC2-DescribeInstanceTypes-Action	sgawsec2describeinstancetypesaction
5	SG-AWS-Organizations-ListAccounts	sgawsorganizationslistaccounts

For other flow actions, the Credential Alias field should be empty. You need to set these values in flow action for using MID server.

Use MID - Enabled
MID Selection
MID Application
Capabilities.

Note: Do not change Connection (Define Connection Inline), Base URL.

If other flow actions is set with Credential Alias, you may get the following error message and integration will not work as expected.

InvalidSignatureException","message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

8. The below sample test shows, the API is using SG-AWS-Mid-Application.

Diagnostic Tool:

Once you complete the setup, you need to run the Diagnostic Tool in the guided setup to ensure the setup is working as expected. For more details, refer to this article.

Service Graph Connector for AWS - Diagnostic Tool
https://community.servicenow.com/community?id=community_article&sys_id=668651e71bde4150c465ece6b04bc...

Related Links:

Service Graph Connector for AWS - Introduction
https://community.servicenow.com/community?id=community_article&sys_id=13aa801f1b1ec910c465ece6b04bc...

Service Graph Connector for AWS - Functional Spec and CI
https://community.servicenow.com/community?id=community_article&sys_id=64e2949f1b9ec910c465ece6b04bc...

Lavern Towne · ‎04-07-2022

Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

The integration uses AWS native technologies and AWS security best practices to enable cloud teams to connect the data within their ServiceNow workflow.

Supported versions
Supported ServiceNow versions:
Starting with Quebec.
Starting with Rome.
Use Cases
The following are examples on how you can use the Service Graph connector for different ServiceNow applications:

Visibility into cloud resources, relationships, and state in real time.
Deep discovery of Applications for ITAM/SAM outcomes.

Governance and Compliance outcome.

MyBalanceNow

Kazuhiro Sakaid · ‎07-15-2024

What specific security concerns can we solve with a MID server?
Also, if we use a MID server, do we need to allow communication from ServiceNow to the Mid server located on AWS (from Internet to LAN)? Or do you initiate communication from the MID server to ServiceNow like Agent-Less Discovery?

andrewrouch · ‎08-07-2025

Hi Murali,

This article is from 2021, does the method support the current SGC-AWS capabilities ie. include the SSM and S3 bucket APIs? Also can the article be updated for SGC-GCP as well?

Murali Reddy1 · ‎08-08-2025

Hi @andrewrouch,

Yes, it works with the current capabilities for all Cloud SGCs. The MID server acts as a trust mechanism where API calls simply pass through and invoke the respective cloud APIs.

However, we have observed performance issues when a proxy is enabled on the MID server, as every call is intercepted, significantly slowing down the process. For low to medium account volumes, this should work fine. But with thousands of accounts and millions of CIs, enabling the proxy can extend processing time to several hours.

In fact, most financial customers have reviewed our security model and opted to remove the MID dependency. For example, one customer with thousands of accounts experienced over 6 hours of processing for a single resource type. After removing the MID dependency, the same operation was completed in just <1 hour — with the root cause traced back to the proxy server.

I hope this information helps.

Thanks,
Murali