Set up Cloud Action Library for AWS

  • Release version: Australia
  • Updated March 12, 2026
  • 4 minutes to read

    • Set up access to the Amazon Web Services (AWS) cloud accounts in Cloud Action Library to enable interaction between the application and the cloud.

    Before you begin

    Role required: admin

    About this task

    For the purposes of configuring access for AWS accounts, the following terms are used:
    Trusting accounts
    The trusting accounts don't have permanent AWS credentials. You configure the trust relationship for IAM roles in these accounts to rely on other accounts for access.
    Trusted accounts
    The trusted accounts are used by the trusting accounts for access. The ServiceNow UI refers to the trusted accounts as accessor accounts.
    Use any one of the following methods to configure access to the AWS accounts:
    • Configure the permanent credentials in the ServiceNow AI Platform to connect with the standalone AWS accounts (discreet accounts). The Cloud Service Account [cmdb_ci_cloud_service-account] table contains information on the service account type, such as management or member account and access credentials.
    • Configure the member accounts to rely on the management account for access. In this case, configure the permanent credentials of the management account in the ServiceNow AI Platform.
    • Configure the accounts to rely on a trusted account for access (lateral access within the same AWS organization or across different AWS organizations). In this case, configure the permanent credentials of the trusted account in the ServiceNow AI Platform.
    Note:
    Cloud Action Library doesn't use a MID Server-based assume role setup to access the trusting accounts.

    Procedure

    1. Create credentials for the AWS service accounts.
      1. Navigate to Connection & Credentials > Credentials.
      2. Select New, and then select AWS Credentials.
      3. On the form, fill in the fields.
        Table 1. AWS Credentials form
        Field Description
        Name Unique and descriptive name for the AWS credentials.
        Active Option to use the credential.
        Access Key ID The access key ID that you generated on the AWS management console.
        Secret Access Key The secret access key that you generated on the AWS management console.
      4. Select Save.
    2. Select the sn_itom_cal.Aws_Creds_Alias credential alias or create a credential alias.
      1. Unlock the credential alias.
      2. Search for a credential alias.
      3. Select New.
      4. On the form, fill in the fields.
        Table 2. Connection & Credential Alias form
        Field Description
        Name Unique name of the alias.
        Type Credential alias type.

        Select Credential from the Type drop-down list.
      5. Select Submit.
    3. Set the Authentication Algorithm field to AWS Authenticator.
    4. Select Submit.
    5. Set up an AWS service account.
      1. Navigate to Cloud Provisioning and Governance > Service accounts.
      2. Select New.
      3. On the form, fill in the fields.
        Table 3. Cloud Service Account form
        Field Description
        Name Unique name of the service account.
        Account ID 12-digit user account number. Expand the list under the account name on the AWS Management Console to view the number.
        Important:
        In the Account ID field, remove the hyphen characters (-) from the number.
        Discovery credentials The credentials needed for ServiceNow applications to access the cloud account. You can configure the discovery credentials at a later stage, while configuring access to the AWS accounts.
        • If you are setting up an independent service account or a management account, select its AWS credential.
        • To use other AWS accounts to access this account, leave the field empty.

          For example, you don't have to specify the AWS credentials for accounts assuming Identity and Access Management (IAM) roles or member accounts using their management account for access.
        Datacenter URL URL of the datacenter.

        Leave this field empty.

        Note:
        For GovCloud, use the URL https://ec2.us-gov-west-1.amazonaws.com.
        Datacenter type Type of the datacenter where the account is hosted.

        Select AWS Datacenter.
        Datacenter discovery status Auto-generated value: Status and timestamp of the last execution of Discovery on the datacenter.
        Parent account Name of the management account that represents the AWS organization to which this member account belongs.

        This field appears when you select AWS Datacenter. If the account doesn't belong to any AWS organization, leave this field empty.
        Is master account Management account flag.

        This check box appears when you select AWS Datacenter from the Datacenter Type drop-down. Select the check box to associate the AWS service account with the management account. Select this check box only for accounts that you have previously configured as management accounts with some member accounts belonging to them. For more information on AWS Organization, see AWS documentation.
        Accessor account Name of the trusted account.

        Configure this field only for accounts that don't use permanent AWS credentials and rely on IAM roles for access.
      4. Select Submit.
    6. Optional: To use a management account to scan the member accounts of the AWS organization, create an assume role configuration for the management account.
      1. Optional: If you don't want to use the OrganizationAccountAccessRole to access the member account, Configure trusting account for Cloud Action Library.
        For more information, see Configure the trusting account for Cloud Configuration Governance and Cloud Action Library.
      2. Optional: Repeat step 6.a for each member account that needs to be scanned through the management account without using the OrganizationAccountAccessRole.
      3. Optional: If you want to use the OrganizationAccountAccessRole to access the member account, create an assume role configuration for the management account.
        For more information, see Create an assume role configuration.
    7. Optional: To use a trusted account to scan the trusting account, configure trusting account for Cloud Action Library.
      The trusted account and trusting account can be in different AWS organizations or they can be in the same AWS organization.
      1. Configure trusting account for Cloud Configuration Governance.
        For more information, see Configure the trusting account for Cloud Configuration Governance and Cloud Action Library.
      2. Repeat step 7.a for each trusting account that needs to be scanned through the trusted account.