Configure access using temporary credentials based on trusted AWS accounts with AWS credentials

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 3 minutes to read

    • Configure the trusting account whose resources need to be accessed, to rely on the trusted account using the Identity and Access Management (IAM) role.

    Before you begin

    • Familiarize yourself with the Amazon documentation on Creating a role to delegate permissions to an IAM user.
    • Decide which Amazon Web Services (AWS) account is going to be the trusted account. You use the trusted account to configure temporary credentials for Cloud Discovery using IAM roles. The trusted account that you use to access other accounts using IAM roles is referred to as an accessor account.
    • Set up the trusted and the trusting account as covered in Set up AWS service accounts.
    Role required:
    • For Cloud Discovery: discovery_admin
    • For Cloud Provisioning and Governance: admin or sn_cmp.cloud_admin

    About this task

    During this configuration, you create an IAM role for the trusting account, and then configure the trusted service account for the trusting account at ServiceNow AI Platform. Finally, you associate the IAM role you created for the trusting account with the trusting account itself.

    Figure 1. Setting up any AWS account to rely on a trusted account with AWS credentials

    Set up the IAM role of the trusting AWS account to trust the user of the trusted AWS account for access

    Procedure

    1. Create an IAM role for the trusting account and configure the trust relationship between the user assuming this role and the trusted (accessor) account.
      1. Log in to the trusting account on the AWS Management Console.
      2. Create and configure the IAM role specifying the trusted (accessor) account ID in the Account ID field.
        For information on creating AWS roles, see the Amazon documentation.
      3. On the Summary page for the IAM role, select the Trust Relationships tab.
      4. Select Edit trust relationship.
        The Edit Trust Relationship page opens showing the policy document.
      5. Set the AWS parameter to the full user ARN of the trusted (accessor) account.

        Editing trust relationship for the trusting account.
      6. Verify that the Action value is set to sts:AssumeRole.
      7. Select Update Trust Policy.
    2. Configure the trusted service account for the trusting account in the ServiceNow AI Platform.
      1. Navigate to Cloud Provisioning and Governance > Service Accounts.
      2. Open the trusting account.
      3. On the Cloud Service Account form, enter the name of the trusted account in the Accessor account field.
      4. Select Update.
    3. Assign the IAM role created for the trusting account to the trusting account at ServiceNow AI Platform.
      Important:
      Perform this step only if you created custom IAM roles. There is no need to assign the default OrganizationAccountAccessRole role to a service account.
      1. Navigate to All > Cloud Provisioning and Governance > Organization Access Parameters > Cloud Service Account AWS Cross Assume Role Parameters.
      2. Select New.
      3. On the Cloud Service Account AWS Cross Assume Role Params form, configure only the following fields:
        Field Definition
        Access role name Name of the IAM role created for the trusting account.
        Cloud service account Name of the trusting account for which you are providing access using the IAM role.
      4. Select Submit.
        The system adds this record to the Cloud Service Account AWS Cross Assume Role Params [cloud_service_account_aws_cross_assume_role] table.
      Note:
      By default, the OrganizationAccountAccessRole role is assigned to the member’s trusting management account and MID uses the same if it isn’t added to the Cloud Service Account AWS Org Assume Role Params [cloud_service_account_aws_org_assume_role_params] table. If you have removed the default or have created a custom IAM role, you must manually add it to the Cloud Service Account AWS Org Assume Role Params [cloud_service_account_aws_org_assume_role_params] table for each trusting member account. To do so, navigate to All > Cloud Provisioning and Governance > Organization Access Parameters > Cloud Service Account AWS Org Assume Role Parameters and do the previous steps.

    What to do next

    Verify that ServiceNow applications can access the trusting service account using the IAM role:
    1. Navigate to Cloud Provisioning and Governance > Service Accounts.
    2. Select the trusting account that you configured.
    3. Under Related Links, click Discover Datacenters.
    4. Navigate to Discovery > Cloud Discovery Dashboard, and then click the AWS tab.
    5. Check that the dashboard shows discovered resources for the account that you associated with the newly created AWS credentials.