AWS Organizations and Temporary CredentialsSummary Table of Contents OverviewSupport for AWS Organizations in London release Support for AWS Organizations in the Newyork releaseTemporary credentialsThe Feature, Component, Architecture and Design:The Standard steps defined by AWSConfigure Temporary Credentials Access Role Name:Role Session Name:Session Policy:Cloud Service Account: TroubleshootingAdditional Information Overview Amazon Web Services has a feature called AWS Organizations. Main Account Member AccountTrusted Relationship between Main and Member along with Access Role and Permission/Trust Policy Which gives efficiency and centrally manage multiple AWS accounts belonging to the same organization within an enterprise Support for AWS Organizations in London release ServiceNow introduced support for AWS organizations Discovery of Member accounts within an organization The UI Action "Refresh Member Accounts" in Main AccountPopulate cmdb_ci_cloud_service_accountThe discovery uses the Main Account credentials to discover the Cloud Resources without requiring the Member Account Credentials Support for AWS Organizations in the Newyork release ServiceNow added additional customization capabilities Use an Amazon AWS API called Security Token Service (STS) called "Assume Role" to accomplish this feature.Exposed the full set of parameters to this API in a table so it can be customized according to the requirement. Temporary credentials The Cloud Discovery, Patterns and custom operations relying on AWS Organizations. Whenever temporary credentials are required for the Main Account, can now customize the following Access Role Has Trusted Relationship between Main and Member Accounts (default is "OrganizationAccountAccessRole")Main Account assumes this role when acquiring temporary credentials for the Member Account Role Session Name Shows up in AWS CloudTrail External ID Allows Solving the "Confused Deputy Problem". Refer: How to Use External ID When Granting Access to Your AWS ResourcesCredential Duration/TTL Session Policy Allows to further restrict permissions for the session used to access the Member Account MFA Serial Number for Multi-Factor Authentication DeviceMFA Token Code for Multi-Factor Authentication One-Time Code To gather the above information, please log in to the AWS console with any of the Member Account details. and refer to the events and search for the "EventName: "AssumeRole" The Feature, Component, Architecture and Design: New Table called "cloud_service_account_aws_org_assume_role_params" Reference "cmdb_ci_cloud_service_account" Precedence Hierarchy Discovery look at parameter associated with the Member Account trying to access If not present, will look for parameters linked to Main Account we are trying to access If not present, will use default values New Business Rule Business rule that Sync instances changes to MID server "Discovery - Account Reload for AWS Orgs"When there are some changes to the "cloud_service_account_aws_org_assume_role_params" table this business rule will get executed MID uses the Scripted SOAP API to fetch the Service Account data from Instance. SOAP Service: GetMidInfoMethod: GetCloudServiceAccountInfo MID Server uses the internal API to acquire credentials for Service Account The method used to capture the AWS credentials from the credential table is "CloudServiceAccountCrednetialsUtilresolveCredentialForAccount(serviceAccountId)"When a Discovery executes, it first looks into the Credential Table for Credentials with the above method and, if there are no Credentials it looks at the "cloud_service_account_aws_org_assume_role_params" for Temporary credentials The Standard steps defined by AWS Ideally, the AWS Organization Discovery will work with basic minimal steps defined as below Granting User Permissions to Switch Roles In the member account, 'OrganizationAccountAccessRole' role is created by default if added the member account using Create Account option from AWS Organizations page and the user have not modified the default role name shown there which is 'OrganizationAccountAccessRole'. Otherwise, a role with the name you have supplied gets created in the member account.If the member account was added through Invite Account option from the AWS Organizations page, then you need to manually create 'OrganizationAccountAccessRole' role in the member account by going to IAM->Roles->Create Role->Another AWS Account and provide the main account id as the input in Account ID field. In the main account, you need to go to IAM->Policy->Create policy->Choose Service=STS->Actions=AssumeRole->Resources=Specific, Add ARN=Add the Role ARN for role 'OrganizationAccountAccessRole' created in the member account. Review, add the policy name and create the policy. Step 3 can be done by login as root user or an IAM user if the IAM user has been provided with necessary privileges to create a policy. Go to IAM->Users->IAM user record you wish should assume the role->Add Permissions->Choose the policy created in step 3. You can choose a different role name in place of 'OrganizationAccountAccessRole' if you wish to but the steps remain the same. Configure Temporary Credentials Login to the instanceNavigator >> Cloud Management >> Service Accounts >> Organization Access Parameters >> AWS Org Assume Role Parameter Create New Access Role Name: OrganizationAccountAccessRole Note: By default, it will be OrganizationAccountAccessRole, but if we have the custom created role, please enter the custom role here Role Session Name: The Assume Role Session is available in the "Event" at the "Event History" in AWS console Session Policy: Below Allow example { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "organizations:List*", "organizations:Describe*" ], "Resource": "*" } ] } And { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "*" } ] } Below Deny example: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "deny", "Action": "ec2:*", "Resource": "*" } ] } Cloud Service Account: Main Service Account Troubleshooting Troubleshooting AWS Cloud Discovery Best Practices Additional Information AWS Main & Member account Roles/Permissions with Servicenow DiscoveryFAQ: AWS Main Account and IAM RolesAWS Main Discovery error NullPointerException at step: "Get Main account id"Discovery - Assume Role enhancements for AWS Organizations