AWS Management Account Discovery, Cross Account Discovery, and Instance ProfileSummaryServiceNow Discovery infrastructure can ultilize the AWS STS Assume role feature, and IAM Role / IAM Instance profile feature, to simplify your AWS discovery administration tasks. When setting up AWS discovery on your ServiceNow instance, you may consider using one of below options: Option 1 > Use one management account in AWS Organization to populate all child accounts, and run discovery to child accounts without the need of configuring credentials one by one. (you only need to configure discovery credential for the management account) Option 2 > Use one AWS account to discover multiple "trusted" aws accounts (e.g. cross org accounts, member to member, member to management, etc), without the need of configuring credentials one by one. (you only need to configure discovery credential for one AWS account) Option 3 > Use IAM Role / IAM Instance profile feature with an AWS hosted MID server, no need to configure discovery credential. Can be used with Option 1 or Option 2 InstructionsAWS Side: The management thing is that on the target account, a role is created with: a) ReadOnlyAccess - this means source will have read only access in target account after assume-role b) Trust relation to the source account Doc Reference: For Option 1 - management account discovery: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html For Option 2 - cross account discovery: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html For Option 3 - IAM role / Instance profile: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html ServiceNow Side - based on Paris release: Doc Reference: https://docs.servicenow.com/bundle/paris-it-operations-management/page/product/discovery/concept/temp-credentials-generated-by-aws.html Key notes: Option 1> If you are using management account discovery, then: -on management service account, create credential, tick "is Management account" -if the role on child account is using default name: OrganizationAccountAccessRole, then no need to create "AWS Org Assume Role Param" -if the role on child account is using custom name, create "AWS Org Assume Role Params" --only Access role name and Cloud service account fields are required, other fields are optional --Cloud service account field should be the management account --Note PRB1431208 is affecting Paris release (fixed in Paris Patch 5), workaround is to include ARN in the role name -once above are setup, on management service account, click on "Refresh Sub Accounts" to load child accounts, this will create a discovery status and launch pattern to bring all child accounts Option 2> If you are using cross account discovery, for example, from Child to Management, then: -on the source service account, create credential, no need to pick parent even if it's a child account. Once all is set up, clicking on "Refresh Sub Accounts" on management account will populate this -on the target service account (the management account), leave credential empty, tick "Is management account". (If the target account is not a management account then no need to tick it) -on the target service account, pick source service account in the "Accessor account" field - very important, new in Paris -create "AWS Cross Assume Role Param" - new in Paris --only Access role name and Cloud service account fields are required, other fields are optional --Cloud service account field should be the target account / management account (Note: this is different to the AWS Org Assume Role, which need source account in the field) -once above are setup, on the target service account, run "Discover Datacenters" to confirm it's working -if the target service account is a management account, then "Refresh Sub Accounts" should also work -for demonstration, see doc attached to this KB Option 3> You can use instance profile / IAM role with Management / Cross account discovery as in Option 1> and 2> above. -leave credential field empty for all service accounts -configure parameter mid.aws.instance_profile_name on the MID server with the IAM role name Related LinksTo troubleshoot, add mid.log.level MID server parameter with value: debug, then check agent log