Configure a custom AWS member role

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read

    • Customize the AWS roles that a MID Server can assume to receive temporary credentials for member accounts. You can configure additional parameters to improve security and customize the way that the member account’s role is assumed when discovering cloud resources.

    Before you begin

    Role required: admin

    About this task

    Values that you enter in the Cloud Service Account > AWS Org Assume Role Params [cloud_service_account_aws_org_assume_role_params] table are passed as parameters to the AWS AssumeRole API for the named service account.

    Procedure

    1. Navigate to All > Cloud Provisioning and Governance > Organization Access Parameters > AWS Org Assume Role Parameters.
      AWS Org Assume Role Parameters module
    2. Click New and then complete the form using these parameters:
      Field Description
      Access role name [access_role_name] Name of the AWS role in the member account which is used by the management account to acquire temporary credentials.

      Default: OrganizationAccountAccessRole
      Role session name [role_session_name] Name for the session using the temporary security credentials that may help in distinguishing use of a role by a principal or purpose. This session name is visible in the AWS Cloud Trail logs. See Cloud API Trail and the AWS documentation on AWS Cloud Trail for details.

      Default: master_account_id__<management account ID number> An example of this is: master_account_id__321003876149.
      Credential TTL in seconds [credential_ttl_seconds] Time in seconds for the temporary security credentials to live.
      Default: Calculated as follows:
      1. Retrieve the value in the mid.aws.sts.assume_role.credential_ttl_minutes MID Server property.
      2. Constrain this value to be between 15 and 720 minutes. If the setting in the property is less than 15 minutes, the system enters 15 minutes. If the setting is greater than 720 minutes, the system enters 720 minutes.
      3. Convert the resulting value into seconds.
      External ID [external_id] Unique identifier required by the trust policy of the role being assumed.

      Default: ServiceNow_MID_Server
      Session policy [session_policy] IAM policy in JSON format that further restricts the permissions of the temporary security credentials beyond the role configured policy. (JSON in AWS policy language.)

      Default: Blank
      MFA [multifactor authentication] Serial number of the Multi-Factor Authentication (MFA) device (hardware or virtual) used to authenticate the management account.

      Default: Blank
      MFA token code [mfa_token_code] Token code supplied by the MFA device (hardware or virtual) used to authenticate the management account.

      Default: Blank
      Cloud service account [cloud_service_account] Required. Service account to associate with the access parameters that you pass to the AWS AssumeRole API. Enter an account ID, either a management account or a member account, from the Service Accounts [cmdb_ci_cloud_service_account] table.
      Note:
      For more details on how these parameters are used and what they mean, see the AWS documentation on the AWS Security Token Service API for the AssumeRole action.