Amazon Cognito discovery

  • Release version: Yokohama
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Amazon Cognito discovery

    The Amazon Cognito pattern in ServiceNow Discovery and Service Mapping enables authentication, authorization, and user management discovery functions for AWS customers. It requires the latest Discovery and Service Mapping Patterns application and runs on ServiceNow AI Platform versions London Patch 8, Madrid Patch 2, or later.

    Show full answer Show less

    Prerequisites

    • User permissions: Provide read-only access to the AWS Cognito ListUserPools API for effective data retrieval.
    • AWS Credentials: Configure and activate AWS Credentials on your ServiceNow instance.
    • Cloud service account: Set up a cloud service account linked to your AWS account ID, using the configured AWS Credentials.

    Setup and Configuration

    • Discovery schedule: Create and configure a cloud application schedule for AWS Cognito discovery, setting Discovery to Cloud application.
    • Execution pattern: Define and activate serverless execution patterns for cloud application discovery, selecting the appropriate AWS Cognito pattern(s).
    • Full AWS discovery schedule: Create a discovery schedule from the cloud service account to run all AWS patterns together.
    • REST API permissions: Use the downloadable Cloud Discovery patterns spreadsheet to assign necessary user permissions and stay updated with quarterly pattern releases.

    Data Collected

    The AWS Cognito pattern collects key data about user pools, including:

    • Main CI (cmdbcicloudauthentication): Name, object ID (account ID), and ARN (FQDN).
    • Tags: Tag keys and values linked to Cognito resources.

    It also establishes CI relationships, such as between cloud authentication and logical datacenters.

    Troubleshooting

    • Discovery timeout errors: If discovery fails due to REST timeout, increase the mid.sa.cloud.requesttimeout parameter on the MID Server (default 30000 ms).
    • Pattern Designer debug timeouts: For debug session timeouts, increase the sa.debugger.maxtimeout parameter on the MID Server (default 240 seconds).

    The ServiceNow Discovery and Service Mapping applications use the Amazon AWS Cognito pattern to provide authentication, authorization, and user management functions for AWS customers. Discovering some of these resources may require updating to the latest version of the Discovery and Service Mapping Patterns application from the ServiceNow Store.

    You can use this pattern on the ServiceNow AI Platform using London Patch 8, Madrid Patch 2, or later releases.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Prerequisites

    User permissions
    Provide user with read-only permission to run the following API:
    • https://cognito-idp.<region>.amazonaws.com
    • Method: POST
    • Body: {\"MaxResults\": 10}
    • Headers: X-Amz-Target:AWSCognitoIdentityProviderService.ListUserPools,Content-Type:application/x-amz-json-1.0
    AWS Credentials
    On your instance, configure credentials of type AWS Credentials and set to Active.
    Cloud service account
    On your instance, configure the cloud service account of type AWS Datacenter and set to AWS account ID. Use the credentials defined in the preceding AWS Credentials.
    Discovery schedule
    Create a cloud application schedule for discovering AWS Cognito and configure the attributes. Set Discovery to Cloud application.
    Execution pattern
    Create and define the serverless execution pattern for cloud application discovery.
    1. Create new Cloud Execution Patterns.
    2. Define Name.
    3. Verify that Active is true.
    4. Verify that Domain is global.
    5. Choose the AWS pattern you want to run.
    6. Create multiple records if you want to run more than one pattern.
    Discovery schedule for full AWS discovery
    Create a discovery schedule from your Cloud service account created in the earlier procedure.
    1. Click on Discover Datacenter and wait for it to finish.
    2. Click Create Discovery Schedule.
    3. This new schedule is created under the Discovery Schedule and runs all AWS patterns.

    Verify the REST API Permissions

    Download the Cloud Discovery patterns spreadsheet so you can grant user permissions required for running the Discovery patterns. In addition to permissions, the spreadsheet also includes useful information such as pattern names, types, CI Classes, and links to vendor documentation. New patterns are available quarterly, so check periodically to be sure you have the latest version of the spreadsheet.

    Note:
    You can test the AWS REST APIs using Postman API platform. For more information, see the How to test AWS REST API using POSTMAN [KB0782183] article in the Now Support Knowledge Base.

    Data collected by Discovery and Service Mapping during horizontal and top-down discovery

    The AWS Cognito pattern collects data.

    Table 1. Collected information from the AWS Cognito pattern
    Field Description
    Main CI: cmdb_ci_cloud_authentication
    name A descriptive name used to identify the user pool.
    object_id This is equal to the account_id and used by IRE identification rules.
    Fqdn Example of an ARN: arn:aws:cognito-idp:eu-west-1:751200741520:userpool/eu-west-1_fim5E2mix

    Tags are also being collected by an extension section that runs following the pattern. The tagging API for AWS specifies the resource type Cognito.

    Table 2. Collected information from the AWS Cognito tags
    Field Description
    cmdb_key_value
    key The actual tag key.
    value The tag value.
    configuration_item The unique resource ID (ARN) that identifies the resource in the AWS console.

    CI relationships

    The AWS Cognito pattern creates the following CI relationship.
    CI Relationship CI
    Cloud authentication [cmdb_ci_cloud_authentication] Hosts:Hosted on Logical datacenter [cmdb_ci_logical_datacenter]

    Troubleshooting

    If the mapping process does not proceed as you expected, follow the following suggestions.
    Symptom Cause Solution
    Discovery fails. The discovery message contains the information about an error caused by the REST timeout. There are many CIs sending the REST call response in the deployment. The MID Server cannot process the REST call response without exceeding the time limit controlled by the mid.sa.cloud.request_timeout parameter. By default, the mid.sa.cloud.request_timeout parameter is set to 30000 milliseconds.
    Increase the value of this parameter on the relevant MID Server and run discovery again.
    Note:
    If the Configuration Parameters related list for the relevant MID Server does not show this parameter, you may need to add it.
    Pattern Designer fails during a debug session. The Pattern Designer message contains information about an error caused by a timeout. The Pattern Designer fails because of a timeout during pattern debugging (and not during discovery). By default, the sa.debugger.max_timeoutparameter is set to 240 seconds.

    Increase the value of this parameter on the relevant MID Server.