ServiceNow CyberArk External Credential Provider for GCP Discovery - invalid key format

vlahod
Tera Contributor

‎07-20-2025 09:51 AM

Hello,

 

I am using the CyberArk vault as my external credential storage within ServiceNow. I am able to successfully retrieve domain and local accounts to run on infrastructure; however, I cannot leverage a GCP service account to perform GCP discovery. The service account functions when I import the JSON into credentials and bypass CyberArk; however, when I leverage CyberArk I receive an invalid key format error. I have followed the steps to create a custom JAR for GCP:
https://www.servicenow.com/community/itom-blog/servicenow-gcp-credential-resolver-using-cyberark/ba-...
I can confirm the JAR file produces a usable JSON payload and have validated that it works using the gcloud CLI. I've created a Hashmap with the email and secret_key values provided. When I test the service account for GCP discovery it always produces an invalid key format. The secret is properly retrieved from CyberArk. The custom JAR and CyberArk seem to be functioning as expected. Is there any additional logging I can enable to see what ServiceNow is sending to GCP to test the credentials? 

0 Helpfuls
  • 680 Views
5 REPLIES 5

vlahod
Tera Contributor
In response to AJ-TechTrek

3 weeks ago

Hello AJ,

 

My apologies for the late response. I've been working with support and the error they were able to see is:

 

"I have added few debug statements and observed below in mid server logs when validating the credential:

======================================================
Caused by: java.lang.NullPointerException: Cannot invoke "javapasswordsdk.PSDKPassword.getContent()" because "pass" is null
at com.snc.discovery.CredentialResolver.resolve(CredentialResolver.java:55)
"
When I run the CredentialResolver jar file manually I do receive a JSON payload in return. I think my challenge is related to building the JAR file. The sample community article imports the passwordsdk jar, but I was receiving errors until I compiled a JAR containing both the new code and the imported SDK. Is there any documentation on how ServiceNow expects the JAR to be built (especially when importing another JAR). 

 

Thank you!

0 Helpfuls