ITOM - Cloud Management - AWS cloud discovery of member account resources using dynamically acquired credentials fail with error 401 - AuthFailureIssue AWS cloud discovery of member account resources using dynamically acquired credentials fail with error 401 - AuthFailureReleaseAll releases prior to New York.CauseWhen discovering member accounts, the AWS discovery credential and main service account are used to generate a temporary token. In order to generate this token, the main account needs to have "AssumeRole" permission. When the AWS organizations console is used to create a member account, AWS Organizations automatically creates an IAM role in the account. This is the "OrganizationAccountAccessRole". This role contains the necessary "AssumeRole" permission. The "OrganizationAccountAccessRole" is the role used by the MID server in order to generate the token. If the "OrganizationAccountAccessRole" role is not created and with "AssumeRole" permission, the discovery of the member account will fail with error 401 - AuthFailure. Reproduce the error, see "Steps to Reproduce" in this KB, and review the MID server log files to confirm this is the root cause for the 401 error. On the MID server log files the following error should be present: <time_stamp> (523) Worker-Interactive:APIProxyProbe-<ecc_queue_sys_id> SEVERE *** ERROR *** Exception caught while trying to acquireTemporaryCredentialFromAWS() com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: Access denied (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: a2205d56-5189-11e9-a38b-9715ef911473) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1640) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1304) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1058) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:743) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:717) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667) at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649) at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513) at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1307) at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1283) at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRole(AWSSecurityTokenServiceClient.java:466) at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRole(AWSSecurityTokenServiceClient.java:442) at com.service_now.mid.util.CloudServiceAccountCredentialUtil.generateFreshTemporaryCredentialForAccount(CloudServiceAccountCredentialUtil.java:606) On the above, we see the acquireTemporaryCredentialFromAWS fails. Next, we attempt the discovery without a valid credential and therefore get "Could not complete API call AWS was not able to validate the provided access credentials (Service: AmazonEC2; Status Code: 401" error.ResolutionEnsure the "OrganizationAccountAccessRole" is available and that has the "AssumeRole" permission.Related LinksThe following AWS links provide helpful information on the "OrganizationAccountAccessRole" role and concepts, for a member account and invited accounts: Accessing and Administering the Member Accounts in Your OrganizationDelegating API Access to AWS Services Using IAM RolesAssume an AWS role for temporary cloud Discovery credentials