How to setup a role in AWS with the correct permissions to do Horizontal Discovery

CVolz
Tera Contributor

I am trying to understand if/how you can use the MID IAM role configuration to discover the OS and applications running inside the OS using AWS IAM role.  

1. It looks like you start by setting up the MID server in the AWS environment.  I get this it is not hard to figure out.

2. It then looks like you setup an IAM role as a configuration parameter on said MID server mid.aws.instance_profile_name.  Again very easy to do.

3. It looks like you need to give the IAM role the correct permissions to be able to discover not only the underlying virtual infrastructure but you can give it permission to discover the virtual machine not just the virtual machine instance. 

  • What are the permissions needed to do this?

find_real_file.png

2 REPLIES 2

PavanBV
Giga Guru

Hi CVolz,

Please refer the below link. We have implemented the use case 2 and were able to successfully discover the AWS resources. This has the detailed steps on the configurations on AWS and ServiceNow ends

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0957891

Regards,

BV

Hi Pranav, 

We are also trying to implement use case2, AWS team has configured roles/policies following servicenow docs but we are not able to authenticate credentials. 

We are getting below error in MID Server log file - 

2022-07-27 08:59:06  (179) Worker-Interactive:HorizontalDiscoveryProbe-b4477c441b41dd987222ebd6ec4bcb3f SEVERE *** ERROR *** resolveCredentialFromIAMInstanceProfile: Was not able to obtain requested information for EC2Role
2022-07-27 08:59:06  (179) Worker-Interactive:HorizontalDiscoveryProbe-b4477c441b41dd987222ebd6ec4bcb3f SEVERE *** ERROR *** resolveCredentialFromIAMInstanceProfile: Error Code : '3', Error Message : 'Method failed: (/latest/meta-data/iam/info) with code: 401 - Invalid username/password combo'

 

EC2Role in AWS is added to MID EC2 instance IAM role and it has read only access as well. Any idea if anything else needs to be done at AWS end?

 

Regards,

Shreya