<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>question Re: Azure Cloud Discovery :Relationship between Cloud Service account and VM and Key Values in ITOM forum</title>
    <link>https://www.servicenow.com/community/itom-forum/azure-cloud-discovery-relationship-between-cloud-service-account/m-p/3481303#M126285</link>
    <description>&lt;P&gt;&lt;FONT size="4"&gt;Hi&amp;nbsp;&lt;a href="https://www.servicenow.com/community/user/viewprofilepage/user-id/383745"&gt;@NiviPrust&lt;/a&gt;&amp;nbsp;,&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="4"&gt;&lt;STRONG&gt;1. Establishing the VM to Service Account Relationship&lt;/STRONG&gt;&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="4"&gt;You are correct that ServiceNow often stores the account_id within the object_id, but relying on a string query isn't ideal for reporting.&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="4"&gt;In a standard ServiceNow Discovery setup, there is usually no direct relationship record in cmdb_rel_ci between a cmdb_ci_vm_instance and a cmdb_ci_cloud_service_account. Instead, they are linked via a Logical Datacenter (LDC).&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="4"&gt;The Relationship Chain:&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="4"&gt;VM Instance (Child) Instantiated Off VM Image&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="4"&gt;VM Instance (Child) Hosted on Logical Datacenter (e.g., Azure East US)&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="4"&gt;Logical Datacenter (Child) Hosted on Cloud Service Account&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="4"&gt;How to find it directly: If you need a direct view, you typically have to "walk the tree" via the LDC. However, if your organization requires a direct relationship for simplified reporting,&amp;nbsp; you&amp;nbsp; may implement a Discovery Post-Processor script or a Business Rule to create a "Used by" or "Defines" relationship directly between the VM and the Service Account in the cmdb_rel_ci table.&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;FONT size="4"&gt;&lt;STRONG&gt;2. Why the Tag (Key Value) Count Mismatches&lt;/STRONG&gt;&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="4"&gt;&lt;STRONG&gt;Inheritance Gap:&lt;/STRONG&gt; Azure tags do not automatically "flow down" from a Subscription to a VM. The extra tags on your Service Account are likely Governance tags (like ContractType or BillingID) that exist only at the subscription level for high-level management.&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;FONT size="4"&gt;&lt;STRONG&gt;Targeted Metadata:&lt;/STRONG&gt; In the cmdb_key_value table, ServiceNow treats the Service Account and the VM as separate entities. If a tag (like SubscriptionOwner) is applied to the account but not explicitly copied to the VM in Azure, it will only appear on the account record in ServiceNow.&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;FONT face="arial black,avant garde" color="#FF0000"&gt;&lt;EM&gt;&lt;STRONG&gt;&lt;FONT size="4"&gt;If you find this as helpful, Please Mark it as helpful and Please Accept My solution...&lt;/FONT&gt;&lt;/STRONG&gt;&lt;/EM&gt;&lt;/FONT&gt;&lt;/P&gt;</description>
    <pubDate>Wed, 04 Feb 2026 08:59:03 GMT</pubDate>
    <dc:creator>sivasankaris</dc:creator>
    <dc:date>2026-02-04T08:59:03Z</dc:date>
    <item>
      <title>Azure Cloud Discovery :Relationship between Cloud Service account and VM and Key Values</title>
      <link>https://www.servicenow.com/community/itom-forum/azure-cloud-discovery-relationship-between-cloud-service-account/m-p/3481142#M126281</link>
      <description>&lt;P&gt;Please help me in understanding :&lt;/P&gt;&lt;OL&gt;&lt;LI&gt;Is there a way to directly establish a relationship between the VM and related Cloud Service Account?&amp;nbsp;&lt;UL&gt;&lt;LI&gt;I could only see that the account id of the Cloud Service Account is a part of the Object Id of the VM and there is no relationship record in the cmdb_rel_ci table.&lt;/LI&gt;&lt;/UL&gt;&lt;/LI&gt;&lt;LI&gt;Reason for Mismatch in Key Values in ServiceNow as I have below 2 findings :&lt;UL&gt;&lt;LI&gt;&amp;nbsp;Azure tags stored in cmdb_key_value are linked to Cloud Service Accounts in ServiceNow and also to the related Virtual Machine Instances, however count does not match&amp;nbsp;.&lt;UL&gt;&lt;LI&gt;For example , if a VM A is related to a Cloud Service Account B, (which i could only find by querying the account id of the service account in the object id of the VM (*query is object id contains account id*) , I could see that&amp;nbsp; Service Account B has 16 key values , however the related VM has only 12 .&lt;/LI&gt;&lt;/UL&gt;&lt;/LI&gt;&lt;LI&gt;Some key values are linked to only Cloud Service Accounts and not the VM's, why is this ?&lt;/LI&gt;&lt;/UL&gt;&lt;/LI&gt;&lt;/OL&gt;</description>
      <pubDate>Wed, 04 Feb 2026 05:35:48 GMT</pubDate>
      <guid>https://www.servicenow.com/community/itom-forum/azure-cloud-discovery-relationship-between-cloud-service-account/m-p/3481142#M126281</guid>
      <dc:creator>NiviPrust</dc:creator>
      <dc:date>2026-02-04T05:35:48Z</dc:date>
    </item>
    <item>
      <title>Re: Azure Cloud Discovery :Relationship between Cloud Service account and VM and Key Values</title>
      <link>https://www.servicenow.com/community/itom-forum/azure-cloud-discovery-relationship-between-cloud-service-account/m-p/3481303#M126285</link>
      <description>&lt;P&gt;&lt;FONT size="4"&gt;Hi&amp;nbsp;&lt;a href="https://www.servicenow.com/community/user/viewprofilepage/user-id/383745"&gt;@NiviPrust&lt;/a&gt;&amp;nbsp;,&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="4"&gt;&lt;STRONG&gt;1. Establishing the VM to Service Account Relationship&lt;/STRONG&gt;&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="4"&gt;You are correct that ServiceNow often stores the account_id within the object_id, but relying on a string query isn't ideal for reporting.&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="4"&gt;In a standard ServiceNow Discovery setup, there is usually no direct relationship record in cmdb_rel_ci between a cmdb_ci_vm_instance and a cmdb_ci_cloud_service_account. Instead, they are linked via a Logical Datacenter (LDC).&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="4"&gt;The Relationship Chain:&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="4"&gt;VM Instance (Child) Instantiated Off VM Image&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="4"&gt;VM Instance (Child) Hosted on Logical Datacenter (e.g., Azure East US)&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="4"&gt;Logical Datacenter (Child) Hosted on Cloud Service Account&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&lt;FONT size="4"&gt;How to find it directly: If you need a direct view, you typically have to "walk the tree" via the LDC. However, if your organization requires a direct relationship for simplified reporting,&amp;nbsp; you&amp;nbsp; may implement a Discovery Post-Processor script or a Business Rule to create a "Used by" or "Defines" relationship directly between the VM and the Service Account in the cmdb_rel_ci table.&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;FONT size="4"&gt;&lt;STRONG&gt;2. Why the Tag (Key Value) Count Mismatches&lt;/STRONG&gt;&lt;/FONT&gt;&lt;BR /&gt;&lt;FONT size="4"&gt;&lt;STRONG&gt;Inheritance Gap:&lt;/STRONG&gt; Azure tags do not automatically "flow down" from a Subscription to a VM. The extra tags on your Service Account are likely Governance tags (like ContractType or BillingID) that exist only at the subscription level for high-level management.&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;FONT size="4"&gt;&lt;STRONG&gt;Targeted Metadata:&lt;/STRONG&gt; In the cmdb_key_value table, ServiceNow treats the Service Account and the VM as separate entities. If a tag (like SubscriptionOwner) is applied to the account but not explicitly copied to the VM in Azure, it will only appear on the account record in ServiceNow.&lt;/FONT&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;FONT face="arial black,avant garde" color="#FF0000"&gt;&lt;EM&gt;&lt;STRONG&gt;&lt;FONT size="4"&gt;If you find this as helpful, Please Mark it as helpful and Please Accept My solution...&lt;/FONT&gt;&lt;/STRONG&gt;&lt;/EM&gt;&lt;/FONT&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 04 Feb 2026 08:59:03 GMT</pubDate>
      <guid>https://www.servicenow.com/community/itom-forum/azure-cloud-discovery-relationship-between-cloud-service-account/m-p/3481303#M126285</guid>
      <dc:creator>sivasankaris</dc:creator>
      <dc:date>2026-02-04T08:59:03Z</dc:date>
    </item>
    <item>
      <title>Re: Azure Cloud Discovery :Relationship between Cloud Service account and VM and Key Values</title>
      <link>https://www.servicenow.com/community/itom-forum/azure-cloud-discovery-relationship-between-cloud-service-account/m-p/3487464#M126377</link>
      <description>&lt;P&gt;Thank you for the clarification, is this same behaviour expected for GCP as well. I mean the tags at the project are not inherited to the VMs within the project.&lt;/P&gt;</description>
      <pubDate>Thu, 12 Feb 2026 07:02:44 GMT</pubDate>
      <guid>https://www.servicenow.com/community/itom-forum/azure-cloud-discovery-relationship-between-cloud-service-account/m-p/3487464#M126377</guid>
      <dc:creator>NiviPrust</dc:creator>
      <dc:date>2026-02-12T07:02:44Z</dc:date>
    </item>
    <item>
      <title>Re: Azure Cloud Discovery :Relationship between Cloud Service account and VM and Key Values</title>
      <link>https://www.servicenow.com/community/itom-forum/azure-cloud-discovery-relationship-between-cloud-service-account/m-p/3521615#M126837</link>
      <description>&lt;P&gt;Azure Cloud Discovery: TechNova Solutions, located at 123 Cloud Street, San Francisco, CA, USA, uses Azure &lt;STRONG&gt;Cloud&lt;/STRONG&gt; to map relationships between cloud service accounts, virtual machines (VMs), and associated key values. Each Azure service account manages access and permissions for multiple VMs, while key values (such as secrets, API keys, and credentials stored in&lt;STRONG&gt; Azure Key Vault&lt;/STRONG&gt;) are linked to both the accounts and VMs to enable secure access. Tools like Azure Monitor and Azure Security Center help track these relationships, ensuring proper governance, auditing, and secure configuration across the cloud environment. aress software provides aws services&lt;/P&gt;</description>
      <pubDate>Wed, 08 Apr 2026 10:31:23 GMT</pubDate>
      <guid>https://www.servicenow.com/community/itom-forum/azure-cloud-discovery-relationship-between-cloud-service-account/m-p/3521615#M126837</guid>
      <dc:creator>ankitaphad</dc:creator>
      <dc:date>2026-04-08T10:31:23Z</dc:date>
    </item>
  </channel>
</rss>

