Configure access using temporary credentials based on trusted AWS accounts without AWS credentials

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 3 minutes to read

    • Set up a trusted credential-less account that other AWS accounts can rely on for access.

    Before you begin

    Create and configure the trusted AWS account.

    Role required: discovery_admin or sn_cmp.cloud_admin (for Cloud Provisioning and Governance)

    About this task

    To use an account without AWS credentials (credential-less account), you must first configure that account with an IAM role and permissions to access the trusting service account. Then you set up the IAM role of the trusting account to grant access to the IAM role of the trusted account.

    Figure 1. Setting up any AWS account to rely on a trusted account without AWS credentials

    Set up the IAM role of the trusting AWS account to trust the IAM role of the trusted AWS account for access

    Procedure

    1. Configure an IAM role for the trusting account.
      1. Log into the trusting account on the AWS Management Console.
      2. Create an IAM role for this account.
        Use the account ID of the trusted account while creating this IAM role. For operational information about working with AWS roles, refer to the Amazon documentation.
      3. Create a ReadOnlyAccess policy and attach it to the newly created IAM role.
    2. Configure the IAM role for the trusted account.
      1. Log into the AWS Management Console using the credentials of the account that you want to set up as a trusted account.
      2. Create an IAM role by choosing the AWS service option.

        Select the AWS service option for creating an IAM role of the trusted accout
      3. Create a ReadOnlyAccess policy for the trusted account IAM role.
      4. Create an additional policy to grant this IAM role access to resources in trusting accounts:
        • Set the Action parameter to sts:AssumeRole
        • Set the Resource parameter to the ARN of the trusting account role that you created in 1.b.

        Configure the policy between the role in the trusted account and the role in the trusting account.

      5. Attach the newly created role to the relevant Amazon EC2 instance.
        By default, when you attach an IAM role to an EC2 instance, it creates a trust relationship between this role and the EC2 instance.
        Verifying the trust relationship between the IAM role and the EC2 instance.
    3. Configure the trusting service account to grant access to the IAM role belonging to the trusted account.
      1. Log into the trusting account on the AWS Management Console.
      2. Navigate to the IAM role you created for this account as described in 1.b.
      3. Edit the Trust Relationship for this IAM role as follows:
        • Set the Action parameter to sts:AssumeRole.
        • Set the AWS parameter to the ARN of the trusted account role that you created in 2.b.
        Configure the trust relationship for the trusting account
    4. Configure the MID Server for AWS IAM roles.
    5. Configure the trusted credential-less service account for the trusting account at ServiceNow AI Platform.
      1. Navigate to Cloud Provisioning and Governance > Service Accounts.
      2. Open the trusting account.
      3. On the Cloud Service Account form, enter the name of the trusted account in the Accessor account field.
      4. Click Update.
    6. Assign the IAM role created for the trusting account to the trusting account at ServiceNow AI Platform.
      Important:
      Perform this step only if you created custom IAM roles. There is no need to assign the default OrganizationAccountAccessRole role to a service account.
      1. Navigate to All > Cloud Provisioning and Governance > Organization Access Parameters > Cloud Service Account AWS Cross Assume Role Parameters.
      2. Select New.
      3. On the Cloud Service Account AWS Cross Assume Role Params form, configure only the following fields:
        Field Definition
        Access role name Name of the IAM role created for the trusting account.
        Cloud service account Name of the trusting account for which you are providing access using the IAM role.
      4. Select Submit.
        The system adds this record to the Cloud Service Account AWS Cross Assume Role Params [cloud_service_account_aws_cross_assume_role] table.
      Note:
      By default, the OrganizationAccountAccessRole role is assigned to the member’s trusting management account and MID uses the same if it isn’t added to the Cloud Service Account AWS Org Assume Role Params [cloud_service_account_aws_org_assume_role_params] table. If you have removed the default or have created a custom IAM role, you must manually add it to the Cloud Service Account AWS Org Assume Role Params [cloud_service_account_aws_org_assume_role_params] table for each trusting member account. To do so, navigate to All > Cloud Provisioning and Governance > Organization Access Parameters > Cloud Service Account AWS Org Assume Role Parameters and do the previous steps.

    What to do next

    Verify that ServiceNow applications can access the trusting service account using the IAM role:
    1. Navigate to Cloud Provisioning and Governance > Service Accounts.
    2. Select the trusting account that you configured.
    3. Under Related Links, click Discover Datacenters.
    4. Navigate to Discovery > Cloud Discovery Dashboard, and then click the AWS tab.
    5. Check that the dashboard shows discovered resources for the account that you associated with the newly created AWS credentials.