Access setup for AWS service accounts

Release version: Australia

Updated March 12, 2026

5 minutes to read

Summarize

Summarized using AI

Summary of Access setup for AWS service accounts

ServiceNow’s Cloud Discovery and Cloud Provisioning and Governance require access to AWS service accounts via MID Servers. Initial setup involves authorizing inbound traffic to Amazon EC2 instances from the MID Server. Access to AWS resources can be configured using either permanent or temporary AWS credentials.

Show full answer Show less

Key Features

Permanent Credentials: Actual AWS credentials stored in ServiceNow AI Platform’s Connections and Credentials module. Easier to manage but require handling multiple credentials per account.
Temporary Credentials: Generated by AWS Security Token Service (STS) by assuming IAM roles such as the default OrganizationAccountAccessRole or custom roles. They enhance security and simplify management in large AWS organizations by reducing the number of permanent credentials needed.
Credential Caching: Temporary credentials are cached for 60 minutes by default to optimize discovery runs, with options to modify or disable caching via MID Server properties.
IAM Roles and Permissions: Custom IAM roles can improve security by restricting access and tailoring permissions for MID Server access to AWS member accounts.
Access Configuration Methods:
- Single AWS account with permanent credentials configured in ServiceNow AI Platform.
- Accounts (discrete, management, or member) trusting an accessor account with AWS credentials by configuring IAM roles to allow cross-account access.
- Accounts trusting an accessor account without AWS credentials by establishing trust relationships between IAM roles in trusting and trusted accounts.
- Using a trust chain where member accounts trust their management account IAM role, which in turn trusts the accessor account.

How Cloud Discovery Determines Credentials to Use

Checks for permanent credentials in the Cloud Service Account [cmdbcicloudserviceaccount] table first.
If none found, checks for special AssumeRole parameters in the AWS Org Assume Role Params table for the member account or its management account.
If no specific parameters exist, defaults to using the OrganizationAccountAccessRole temporary credentials.
When accounts trust an accessor account, Discovery similarly checks for permanent credentials or cross-account AssumeRole parameters in the Cloud Service Account AWS Cross Assume Role Params table to determine credential usage.

Practical Implications for ServiceNow Customers

Customers can choose between simple permanent credentials for smaller or isolated AWS accounts or leverage temporary credentials and IAM role trust relationships for scalable, secure access across large AWS organizations. Customizing IAM roles enhances security by limiting permissions and access scope. The credential caching mechanism improves performance during discovery runs.

Understanding these setup methods allows customers to configure AWS integrations in ServiceNow effectively, ensuring proper access control, security, and efficient cloud resource discovery.

Cloud Discovery and Cloud Provisioning and Governance need access to resources in the Amazon Web Services (AWS) service accounts. Learn about different methods of configuring such access.

Cloud Discovery and Cloud Provisioning and Governance access resources in AWS service accounts through MID Servers. You must authorize inbound traffic to Amazon EC2 instances from the MID Server for setting up initial communication. For more information, see Configure security group inbound rules using the AWS Management Console.

Types of AWS credentials

There are permanent and temporary AWS credentials that you can use for configuring access to AWS service accounts.

Permanent

The permanent credentials are the actual AWS credentials for the service account that you add to the Connections and Credentials module of ServiceNow AI Platform. While it might be time consuming to manage credentials on ServiceNow AI Platform, you avoid the complex configurations involved in using temporary credentials.

Temporary

The temporary credentials are generated by the AWS Security Token Service (AWS STS) for IAM roles. After you configure IAM roles for AWS accounts, the MID Server accesses AWS resources with these temporary credentials. You can use the default IAM role, OrganizationAccountAccessRole, or create custom IAM roles.

Assuming IAM roles in a large AWS organization is more convenient and offers better security than using large numbers of permanent credentials for all AWS accounts. Temporary credentials are only acquired on behalf of a service account when there’s no permanent credential specified for that service account in the Service Accounts [cmdb_ci_cloud_service_account] table.

The MID Server uses the AssumeRole action in the AWS Security Token Service API to assume a member account role. Parameters passed to this API determine which additional security restrictions are applied to the role when it accesses the AWS resources.

By default, the MID Server is configured to assume the OrganizationAccountAccessRole, which grants temporary credentials to all the members of a primary account. This action occurs automatically if no permanent credentials exist for the member accounts. This configuration doesn't apply any additional security or restrict access to any resources in member accounts.

By default, the ServiceNow instance caches temporary credentials for member accounts for 60 minutes. This interval enables the horizontal discovery process to run multiple times without generating new credentials during each discovery. You can avoid credential caching or modify the caching period using MID Server properties.

IAM roles and permissions

To enhance security provided by the default AWS OrganizationAccountAccessRole role, you can customize the AWS roles that MID Servers can assume to receive temporary credentials for member accounts. You can configure additional permissions to improve security and customize the way that the member account’s role is assumed when discovering cloud resources.

Methods of granting access

For the purposes of configuring access for AWS accounts, the following terms are used:

Trusting accounts: The trusting accounts don't have permanent AWS credentials. You configure the trust relationship for IAM roles in these accounts to rely on other accounts for access.
Trusted accounts: The trusted accounts are used by the trusting accounts for access. The ServiceNow UI refers to the trusted accounts as accessor accounts.

Typically, you set up access to the AWS accounts in your organization using the following methods:

Configuring access for a single account

Configure AWS credentials on the ServiceNow AI Platform to avoid the complexity of creating and setting up IAM roles. For more information, see Configure access to the AWS accounts using permanent AWS credentials.
Create an AWS service account on the ServiceNow AI Platform. For more information, see Create AWS service accounts.

Configuring access for an account that trusts an accessor account with AWS credentials

Set up the IAM role of the trusting AWS account to trust the user of the trusted AWS account for access — Figure 1. Setting up any AWS account to rely on a trusted account with AWS credentials

Configure any type of account—discrete (independent), management, or member—to rely on a trusted account with AWS credentials for access.
Configuring an IAM role belonging to the trusting accounts to trust the user of the trusted account enables using only one set of AWS credentials for providing access to multiple AWS accounts.

For more information, see Configure temporary credential access for trusted AWS accounts.

Configuring access for an account that trusts an accessor account without AWS credentials

Set up the IAM role of the trusting AWS account to trust the IAM role of the trusted AWS account for access — Figure 2. Setting up any AWS account to rely on a trusted account without AWS credentials

Configure any type of account—discrete (independent), management, or member—to rely on a trusted account without AWS credentials for access.
Configure an account without AWS credentials using an IAM role and permissions to access the trusting service account.
Set up the IAM role of the trusting account to grant access to the IAM role of the trusted account.

For more information, see Configure credential-less access using trusted AWS accounts.

Configuring access for AWS member accounts by using a trust chain from the accessor through the management account.

Set up the IAM role of the trusting member accounts to trust their management account — Figure 3. Configuring member accounts to use their management account for access

Configure the IAM roles of the member accounts to trust the IAM role of their management account. For more information, see Configure access for trusting AWS member accounts in trust chain.
Configure the management accounts to trust the accessor accounts with or without AWS credentials. For more information, see:
- Configure temporary credential access for trusted AWS accounts.
- Configure credential-less access using trusted AWS accounts.

How Cloud Discovery determines which credentials to use

Member account trusts management account

Cloud Discovery uses the following logic to determine which credentials to use to discover AWS cloud resources in member accounts:

If permanent credentials are defined for the member account in the Cloud Service Account [cmdb_ci_cloud_service_account] table, Discovery uses those credentials. The Cloud Service Accounts [cmdb_ci_cloud_service_account] table contains the information on the service account types, like management or member, and their credentials.
If no permanent credentials are defined for the member account, Discovery checks the Cloud Service Account AWS Org Assume Role Params [cloud_service_account_aws_org_assume_role_params] table for any special parameters associated with the member account. If parameters exist in that table, Discovery uses the temporary credentials acquired from specifying a role and its parameters in the AWS Security Token Service API AssumeRole action.
If no special parameters are associated with the member account in the [cloud_service_account_aws_org_assume_role_params] table, Discovery checks that table for parameters associated with the management account. If parameters exist that define a role for the management account, Discovery uses the temporary credentials provided by that role.
If no special parameters are present in the [cloud_service_account_aws_org_assume_role_params] table for either management or member accounts, Discovery uses the defaults defined for the OrganizationAccountAccessRole role.

Member or management account trusts accessor account

If permanent credentials are defined for the member or management account in the Cloud Service Account [cmdb_ci_cloud_service_account] table, Discovery uses those credentials. The Cloud Service Accounts [cmdb_ci_cloud_service_account] table contains the information on the service account types, like management or member, and their credentials.
If no permanent credentials are defined for the account, Discovery checks the Cloud Service Account AWS Cross Assume Role Params [cloud_service_account_aws_cross_assume_role_params] table for any special parameters associated with the account. If parameters exist in that table, Discovery uses the temporary credentials acquired from specifying a role and its parameters in the AWS Security Token Service API AssumeRole action.