Configure credential-less access using trusted AWS accounts

  • Release version: Zurich
  • Updated September 3, 2025
  • 4 minutes to read

    • Set up a trusted credential-less account that other AWS accounts can rely on for access.

    Before you begin

    • Familiarize yourself with the Amazon documentation on Creating a role to delegate permissions to an IAM user.
    • Decide which AWS account is going to be the trusted account. You use the trusted account to configure temporary credentials for Cloud Discovery using IAM roles. The trusted account that you use to access other accounts using IAM roles is referred to as an accessor account.
    • If you're setting up a trust chain, confirm that the member account trusts the management account. The management account must also trust the accessor account. For more information, see Configure access for trusting AWS member accounts in trust chain.
    • Confirm that Discovery Admin Workspace is using at least version 1.10.0. The Discovery > Cloud Service Accounts navigation module isn't available with earlier versions. To access Cloud Service Accounts with an earlier version, enter in the navigation filter: cmdb_ci_cloud_service_account.list.
    Role required:
    • For Cloud Discovery: discovery_admin
    • For Cloud Provisioning and Governance: admin or sn_cmp.cloud_admin

    About this task

    To use an account without AWS credentials, you must first configure that account with an IAM role and permissions to access the trusting service account. Then, you set up the IAM role of the trusting account to grant access to the IAM role of the trusted account.

    Figure 1. Setting up any AWS account to rely on a trusted account without AWS credentials

    Set up the IAM role of the trusting AWS account to trust the IAM role of the trusted AWS account for access

    Procedure

    1. Configure an IAM role for the trusting account.
      1. Log into the trusting account on the AWS Management Console.
      2. Create an IAM role for this account.
        Use the account ID of the trusted account while creating this IAM role. For operational information about working with AWS roles, refer to the Amazon documentation.
      3. Create a ReadOnlyAccess policy and attach it to the newly created IAM role.
    2. Configure the IAM role for the trusted account.
      1. Log into the AWS Management Console using the credentials of the account that you want to set up as a trusted account.
      2. Create an IAM role by choosing the AWS service option.

        Select the AWS service option for creating an IAM role of the trusted accout
      3. Create a read-only access policy for the trusted account IAM role.
        For more information, see Control AWS access and permissions using policies.
      4. Create an additional policy to grant this IAM role access to resources in trusting accounts:
        • Set the Action parameter to sts:AssumeRole
        • Set the Resource parameter to the ARN of the trusting account role that you created in 1.b.

        Configure the policy between the role in the trusted account and the role in the trusting account.

      5. Attach the newly created role to the relevant Amazon EC2 instance.
        By default, when you attach an IAM role to an EC2 instance, it creates a trust relationship between this role and the EC2 instance.
        Verifying the trust relationship between the IAM role and the EC2 instance.
    3. Configure the trusting service account to grant access to the IAM role belonging to the trusted account.
      1. Log into the trusting account on the AWS Management Console.
      2. Navigate to the IAM role you created for this account as described in 1.b.
      3. Edit the Trust Relationship for this IAM role as follows:
        • Set the Action parameter to sts:AssumeRole.
        • Set the AWS parameter to the ARN of the trusted account role that you created in 2.b.
        Configure the trust relationship for the trusting account
    4. Configure the MID Server for AWS IAM roles.
      For more information, see Configure the MID Server for AWS IAM roles.
    5. On the ServiceNow AI Platform, configure the trusted service account.
      1. Navigate to All > Discovery > Cloud Service Accounts.
      2. Selelct New.
      3. On the form, fill in the fields.
      4. Select Submit.
    6. On the ServiceNow AI Platform, configure the trusting service account.
      1. Navigate to All > Discovery > Cloud Service Accounts.
      2. Select New.
      3. In the Accessor account field, enter the name of the trusted account.
      4. On the form, fill in the remaining fields.
      5. Select Submit.
    7. On the ServiceNow AI Platform, assign the AWS IAM role to the trusting account, using the relevant form, based on the relationship to the trusted account.
      Trusted account typeSteps
      Management account
      1. Navigate to All > Cloud Provisioning and Governance > Organization Access Parameters > AWS Org Assume Role Parameters.
      2. Select New.
      3. On the form, configure only the following fields for the trusting member account:
        Table 1. Cloud Service Account AWS Org Assume Role Params form
        Field Definition
        Access role name Name of the IAM role created for the trusting account.
        • If IAM roles are the same across all member accounts: Enter the full ARN using an asterisk (*) as a wildcard for the account ID in the format: arn:aws:iam::*:role/MemberRoleName.

          For example: arn:aws:iam::*:role/SN_MEMBER_ACCOUNT_ROLE.

        • If IAM roles are different across member accounts: Enter the full ARN of the specific IAM role for each member account in a separate entry.
        Cloud service account Name of the trusting account for which you are providing access using the IAM role.
        • If IAM roles are the same across all member accounts: Enter the management account name.
        • If IAM roles are different across member accounts: Enter each member account in a separate entry.
      4. Select Submit.
      Member or discrete account
      1. Navigate to All > Cloud Provisioning and Governance > Organization Access Parameters > AWS Cross Assume Role Parameters.
      2. Select New.
      3. On the form, configure only the following fields for the trusting account:
        Table 2. Cloud Service Account AWS Cross Assume Role Params form
        Field Description
        Access role name Name of the IAM role created for the trusting account.
        Cloud service account Name of the trusting account for which you are providing access using the IAM role.
      4. Select Submit.

    What to do next

    Verify that ServiceNow applications can access the trusting service account using the IAM role:
    1. Navigate to All > Discovery > Cloud Service Accounts.
    2. Select the trusting AWS service account.
    3. Under Related Links, select Create Discovery Schedule.
    4. In the Discovery Manager Cloud Discovery page, select Test Account.
      • If the connection is successful, a message displays indicating the account validation is successful.
      • If the connection isn't successful, an error message displays indicating the cause of failure.