How do I see the Service Account a cloud tag is associated with

Report Inappropriate Content · ‎03-25-2022

Cloud tags show up in the cmdb_key_value table with a reference field for the Configuration Item, but I am having a hard time writing a CMDB query or report that will show the Service Account associated with that Tag. We have over 100 AWS accounts and knowing which service account is having tags being used out of compliance is critical for our review process.

How do I relate records in cmdb_key_value table to cloud service accounts?

Report Inappropriate Content · ‎03-31-2022

I was able to resolve this issue through building a Database View that tied the cmdb_key_value (key value) table up to the Cloud Service Account table via the Configuration Item that is in the cmdb_key_value table.

rel1 Where Clause: keyvalue.configuration_item = rel1.parent and rel1.type = "5f985e0ec0a8010e00a9714f2a172815"

rel2 Where Clause: rel1.child = rel2.parent and rel1.type = "5f985e0ec0a8010e00a9714f2a172815"

ci Where Clause: rel2.child = ci.sys_id

And on the entry for cmdb_ci_cloud_service_account I included the fields for Account ID and Name.

this built a view that showed me all the pieces I need across all the tags discovered.

Key, Value, CI, Service Account Name, Service Account ID

View solution in original post

Vivi Brasil · yesterday

Hello, thank you so much, it saved me!

Just an additional comment, the Database View worked exactly as you described, for most of the Cloud Resources (VM Instances, Cloud Storage Account, Network Interfaces, among many others).

Only for Resource Groups, I had to create a different Database View, because the Relationships among the Resource Groups and Data Centers are different. For this second DB View, I did few changes in the where clause:

I used:
rel1 Where Clause: keyvalue.configuration_item = rel1.child and rel1.type = "55c95bf6c0a8010e0118ec7056ebc54d"

Instead of:
rel1 Where Clause: keyvalue.configuration_item = rel1.parent and rel1.type = "5f985e0ec0a8010e00a9714f2a172815"

And I used:
rel2 Where Clause: rel1.parent = rel2.parent and rel1.type = "55c95bf6c0a8010e0118ec7056ebc54d"

Instead of:
rel2 Where Clause: rel1.child = rel2.parent and rel1.type = "5f985e0ec0a8010e00a9714f2a172815"

The Relation Type is also different for Resource Groups, it is: Contains::Contained by, instead of Hosted on::Hosts, it is why I also changed the sys_id of the Relation Type.

When reporting data related to RGs, we are going to use the second Database View. And for other Cloud Resources, we are going to use the same DB View you suggested, it is working well.

We are implementing Tag Governance, and although some Tag Governance tables already have Datacenter and Cloud Service Account fields, it is essential to us, to have a way to validate the Values per CI, based on cmdb_key_value table, as there are CIs with the same Name, in different Datacenters / Cloud Service Accounts (Subscriptions).

Thank you so much!
Vivi Brasil

Shreya Jain1 · ‎09-15-2022

Did you do any customization to get tags for Cloud Service Accounts or is it supported OOB??

Regards,

Shreya

Hail · ‎09-18-2022

Hi

No, it should be part of latest pattern store App.

in cloud discovery definition, when retrieve all sub accounts, it gets also tags for them.

if not working using OOTB, need to open case to support to investigate and assign task to dev.

Hail