Configure access using temporary credentials for trusting AWS member accounts

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read

    • Configure the access to AWS member accounts using the management account as their trusted account using the IAM role.

    Before you begin

    Role required: discovery_admin or sn_cmp.cloud_admin (for Cloud Provisioning and Governance)

    About this task

    You can configure access to member accounts, where members rely on their management account. It doesn't matter if the management account itself uses permanent or temporary credentials.

    Figure 1. Configuring member accounts to use their management account for access

    Set up the IAM role of the trusting member accounts to trust their management account

    Procedure

    1. Create an IAM role for the member account and configure the trust relationship between the user assuming this role and the trusted (accessor) account.
      1. Log into the AWS Management Console using the credentials of the member account for which you are configuring access.
      2. Create and configure the IAM role specifying the management account ID in the Account ID field.
        For operational information about creating AWS roles, refer to the Amazon documentation.
      3. On the Summary page for the IAM role, click the Trust Relationships tab.
      4. Click Edit trust relationship.
        The Edit Trust Relationship page opens showing the policy document.
      5. Edit the trust relationship as follows:
        • Set the Action parameter to sts:AssumeRole
        • Set the AWS parameter to the full role ARN of the management account.

        Editing trust relationship for the trusting account.
      6. Click Update Trust Policy.
    2. Configure the trusted service account for the trusting account at ServiceNow AI Platform.
      1. Navigate to Cloud Provisioning and Governance > Service Accounts.
      2. Open the member account.
      3. On the Cloud Service Account form, enter the name of the management account in the Parent account field.
      4. Click Update.
    3. Assign the IAM role created for the member account to the member account at ServiceNow AI Platform.
      Important:
      Perform this step only if you created custom IAM roles. There is no need to assign the default OrganizationAccountAccessRole role to a service account.
      1. Navigate to Cloud Provisioning and Governance > Organization Access Parameters > AWS Cross Assume Role Parameters.
      2. Click New.
      3. On the Cloud Service Account AWS Cross Assume Role Params form, configure only the following fields:
        Field Definition
        Access role name Name of the IAM role created for the trusting account.
        Cloud service account Name of the trusting account for which you are providing access using the IAM role.
      4. Click Submit.

    What to do next

    Verify that ServiceNow applications can access the trusting service account using the IAM role:
    1. Navigate to Cloud Provisioning and Governance > Service Accounts, and select the AWS account you created earlier as described in Set up AWS service accounts.
    2. Select the trusting account that you configured with the IAM role.
    3. Under Related Links, click Discover Datacenters.
    4. Navigate to Discovery > Cloud Discovery Dashboard, and then click the AWS tab.
    5. Check that the dashboard shows discovered resources for the account that you associated with the newly created AWS credentials.