AWS SNS Integration in Self-Hosted Environment not receiving messages.


Description

Attempting to configure AWS SNS to send messages for event management in a self-hosted environment.

After going through the steps from the following documentation "Integrate AWS platform as a data source":

we noticed we are not receiving any messages and in the node logs we noticed the following error message being generated:

019-10-01 18:41:16 (822) http-50 SYSTEM Session created: 803071A059980410E2EB86D408414168, timeout after 30 minutes of inactivity
2019-10-01 18:41:16 (822) http-50 SYSTEM New transaction 803071A059980410E2EB86D408414168 #96555 /api/global/em/inbound_event
2019-10-01 18:41:16 (834) API_INT-thread-104 SYSTEM txid=c43071a05998 HTTP authorization validated user 'awssns'
2019-10-01 18:41:16 (834) API_INT-thread-104 SYSTEM txid=c43071a05998 Session user set to awssns
2019-10-01 18:41:16 (873) API_INT-thread-104 803071A059980410E2EB86D408414168 txid=c43071a05998 Loaded the Installation Exits cache in 1 ms
2019-10-01 18:41:16 (879) API_INT-thread-104 803071A059980410E2EB86D408414168 txid=c43071a05998 #96555 [REST API] RESTAPIProcessor : User Not Authorized
2019-10-01 18:41:16 (879) API_INT-thread-104 803071A059980410E2EB86D408414168 txid=c43071a05998 *** End #96555 /api/global/em/inbound_event, user: awssns, total time: 0:00:00.000, processing time: 0:00:00.000, SQL time: 0:00:00.033 (count: 60), ACL time: 0:00:00.001, Cache build time: 0:00:00.003, source: 72.21.217.15 , type:rest, method:null, api_name:null, resource:null, version:null, user_id:eb7dacf29d733300e2eb550b612d2209, response_status:403

That error means that the incoming rest call has incorrect user info.
The 403 is forbidden "The requested operation is not permitted for the user. This error can also be caused by ACL failures, or business rule or data policy constraints."

Resolution


1. Created "AWS_user" user on your instance, for testing.

2. Added "evt_mgmt_admin", "evt_mgmt_integration", "sn_cmp.cloud_event_integration" roles to the user.
a. "evt_mgmt_integration" role allows access to the "Inbound Event" Scripted REST Service which handles AWS SNS for EM events.
https://<instance-name>.service-now.com/sys_ws_definition.do?sys_id=9c4603b1c3a3220039a3553a81d3ae99
b. "sn_cmp.cloud_event_integration" role allows access to "Cloud Event" Scripted REST Service which handles AWS SNS for Cloud events.
https://<instance-name>.service-now.com/sys_ws_definition.do?sys_id=c144745ad741320097eb6ccf6e610373
c. Please note that the user does requires other roles to manage CIs and other resources.

(Make sure the user does not have extra ACLs.)

3. Created a new Topic called "ServiceNow-Support" in AWS console.

4. Create subscriptions in the above topic for EM Event and Cloud Event based on the following Docs:
https://docs.servicenow.com/bundle/madrid-it-operations-management/page/product/event-management/task/aws-events-transform-script.html#aws-events-transform-script
https://docs.servicenow.com/bundle/madrid-it-operations-management/page/product/cloud-management-v2-setup/task/aws-config-service-cloud-mgt.html


This is the operation when calling in that REST Service:

https://<instance-name>.service-now.com/sys_ws_operation.do?sys_id=347683b1c3a3220039a3553a81d3ae22

OOB the above URL, it has no ACL. Make sure we didn't have any extra ACLs in here as well.