SG AWS key rotation issue

strahinjast
Tera Contributor

Hello,

 

we have a problem with OOB SG AWS key rotation setup:

 

Exception occurred while rotating keys for SG-AWS-CredentialAlias-Org, Error Message: com.glide.script.fencing.MethodNotAllowedException: Function „setDisplayValue“ is not allowed in scope „sn_aws_integ“

 

from AWS side looks all good, but the issue is: the script will replace the keys, the old one, which now can NOT be overwritten, will stay in ServiceNow, which means SG-AWS will be completely broken.

 

As this is OOB (scoped application), no changes should be made, I'm wondering if someone else had a same problem.

Thanks!

1 ACCEPTED SOLUTION

Shreya Shikha
ServiceNow Employee
ServiceNow Employee

Hi @strahinjast,

You're encountering a specific error: com.glide.script.fencing.MethodNotAllowedException: Function „setDisplayValue“ is not allowed in scope „sn_aws_integ“ during Service Graph Connector for AWS key rotation. This means the out-of-the-box (OOB) script is attempting an action (setDisplayValue) that is restricted within the sn_aws_integ scoped application, preventing the old keys from being overwritten and breaking the connector.

 

Have you checked for -

  • Version Incompatibility: A conflict between your ServiceNow instance version and the SGC connector's version, or a recent patch? Which version are you currently on?

  • ServiceNow User's SnowAccountAccessPolicy IAM permissions: For SGC AWS, Specific IAM permissions are required for a ServiceNow user where it is created. These roles are packaged as part of CreateServiceNowUser.yml with the policy SnowAccountAccessPolicy. If you need AWS Key rotation feature, then you should have 'iam:CreateAccessKey' and 'iam:DeleteAccessKey' permissions assigned in the policy. Can you verify this?

View solution in original post

1 REPLY 1

Shreya Shikha
ServiceNow Employee
ServiceNow Employee

Hi @strahinjast,

You're encountering a specific error: com.glide.script.fencing.MethodNotAllowedException: Function „setDisplayValue“ is not allowed in scope „sn_aws_integ“ during Service Graph Connector for AWS key rotation. This means the out-of-the-box (OOB) script is attempting an action (setDisplayValue) that is restricted within the sn_aws_integ scoped application, preventing the old keys from being overwritten and breaking the connector.

 

Have you checked for -

  • Version Incompatibility: A conflict between your ServiceNow instance version and the SGC connector's version, or a recent patch? Which version are you currently on?

  • ServiceNow User's SnowAccountAccessPolicy IAM permissions: For SGC AWS, Specific IAM permissions are required for a ServiceNow user where it is created. These roles are packaged as part of CreateServiceNowUser.yml with the policy SnowAccountAccessPolicy. If you need AWS Key rotation feature, then you should have 'iam:CreateAccessKey' and 'iam:DeleteAccessKey' permissions assigned in the policy. Can you verify this?