FAQ: AWS Management Account and IAM Roles - Support and Troubleshooting

FAQ: AWS Management Account and IAM Roles Summary Assume role into other accounts and pull-down credentials to discover all of their resources.

Ans: London, Madrid, NY, Orlando only support AssumeRole from Management into Member. We are planning to add cross-account (Member to Member and more) access for AssumeRole in Paris.

Pull member accounts without using Management account credentials that have Administrator Level access.

The credentials provided to the Management account must be an IAM user with a *minimum* of the following permissions:

Organizations:DescribeOrganization https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeOrganization.html Organizations:ListAccounts https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListAccounts.html

To get *ALL* the perms required from the Pattern

Step through the Pattern Debugger for the "AWS Organizations" Pattern We will see REST API calls to these AWS endpoints. Then google for the names of the API calls. Tell the customer to configure the perms assigned to the IAM user have creds for in the ServiceNow instance to have these perms. Optionally, To prove this to the customer, have them set up AWS CLI on the MID Server host (the machine where MID Server is running) Execute the same commands via AWS CLI on the MID Server host Make sure there are no 403 or permissions errors and all the members are returned If this configuration is done, we should be able to make the "Refresh Member Accounts" UI action work without the full AdministratorAccess managed policy.

How about the resources under the management and member accounts? Do we need to have any extra configurations for this?

If having appropriate credentials configured either Permanent creds in discovery_credentials table or Temporary creds, either

via IAM instance profile ( supported in NY for Management (organization) or Discrete (non-org) ) via AssumeRole ( only Management=>Member is supported in NY)

then these resources will be discovered, as long as the IAM Role or IAM User which the credential (temporary or permanent) is based on has permissions to see these resources.

Below is a scenario of discovering resources with EC2 Instance profile.

Let's say, customer

Has both discrete accounts and AWS organizations in their AWS ( Not sure if this would valid, but let's assume this is valid ). Has EC2 instance profile configured with an IAM role and the MID server property: "mid.aws.instance_profile_name" is added. Added management account, but without credentials on the instance. In this scenario.

Would "EC2 instance profile configured with an IAM role" be sufficient to discover discrete accounts/management account and their resources.

Ans: It's either or here. The role which is the IAM Instance Profile is supposed to be associated with one account (is it the Management or a Discrete account?). If it is associated with the Management account, then it is sufficient to have just the IAM profile to discover all the resources in the Management's organization (the Management account + all Member accounts).

As we have the management account information available ( without credentials ), would "EC2 instance profile configured with an IAM role" sufficient to discover the member accounts and their resources.

Yes, as long as the cmdb_ci_cloud_service_account has the proper configuration for member accounts (parent_account reference column points to management account row and is_management_account=false/unchecked). Again, we are going to need a separate Cloud Discovery Schedule for each Account, regardless of whether it is Management, Member, or Discrete. If only added the Management account to the instance, will have to do "Refresh Member Accounts" UI Action on the Management account record to populate the Member accounts before creating Discovery Schedules for Members.

Can discovery use EC2 instance profile configured with an IAM role to assume the role into member accounts or do we need to have credentials added on the management account

Yes, this is possible. No credentials needed for Management if using IAM Instance Profile with Role in Management Account.

Any Example configuration on assume role?

Ans: Each customer environment is different. Every account would have various custom roles, policies, etc. Providing a generic configuration would be a tough task here. Would recommend to please check with your cloud engineering team for more specific configurations. Related Links Refer:

Assume an AWS role for temporary Cloud Discovery credentials Assuming member roles with an AWS API