Member to Master Discovery using Accessor account - Support and Troubleshooting

Member to Master Discovery using Accessor account Table of Contents Overview AWS Console Config used for Testing Use Case-1: Discovery with Credentials Step-1: Accessor Account Configurations : (Account-A) Step-2: Master Account Configurations : (Account-B) Step-3: Member Account Configurations : (Account-C) Step-4: Create a discovery schedule for the Master account that will discover all the members using “Discovery Manager” USE CASE - 2: DISCOVERY WITHOUT CREDENTIALS (CREDENTIAL-LESS DISCOVERY) Step-1: Accessor Account Configurations : (account-A) Step-2: Master account configurations : (account-B) Step-3: Member account configurations : (Account-C) Step-4: Create a discovery schedule for the Master account that will discover all the members using “Discovery Manager” Overview The ServiceNow AWS Organization Discovery can be configured in

Master and Member have the trusted relationship with default "OrganizationAccountAccessRole", while Org Discovery, the Member Account uses the Master Credentials for Subscription and Resource Discovery. Master and Member have the trusted relationship with a CustomRole, while Org Discovery, the Member Account uses the Master Credentials for Subscription and Resource Discovery. Master and Member have a trusted relationship with a CustomRole, while Org Discovery, the Member Account uses the Temporary Credentials for Subscription and Resource Discovery for Master and Member. This article explains the use cases and configuration examples on AWS console and ServiceNow Instance

Use cases 1. Discovery with credentials

2. Discovery without credentials (Credential-Less Discovery)

AWS Console Config used for Testing

S.NO

Accounts

Type

Account ID

Role Created

1.

Account-A

Accessor Account

Ending with 2306

MemberRole

2.

Account-B

Master Account

Ending with 8211

MasterRole

3.

Account-C

Member Account

Ending with 2944

MemberRole

Use Case-1: Discovery with Credentials

Scenario: Firstly, discover Account-B using Account-A. Secondly, discover Account-C using Account-B(which internally uses Account-A)

In order to perform AWS Member to Master cloud discovery using Accessor account with credentials, one must follow the below steps.

Step-1: Accessor Account Configurations : (Account-A)

AWS Side Configurations Login to accessor account on AWS console. Spin up an EC2 instance. Instance Side Configurations Set up a MID server in the EC2 instance and connect to your instance. Create an entry for accessor account credentials in the Credentials table(aws_credentials) Create an entry for the accessor account in the Service Accounts table (cmdb_ci_cloud_service_account). Also, create an entry for the Parent account if it exists.

Fill in the parent account field if exists. In the current scenario, the accessor account has a parent which is a master account. The configuration of the Master account is explained in detail in Step -2.2.1. Click on “Discover Datacenters” in the Related Links. If it is completed successfully, then proceed to further steps. Otherwise re-check your configurations.

Step-2: Master Account Configurations : (Account-B) AWS Side Configurations Login to Master account on AWS console. Create an IAM role and give the permissions and trust relationship as follows Master-Policy gives the permission to the role(MasterRole) to assume a role(MemberRole) in any account(*) Instance side configurations The Master account configuration in the service account table is as follows Add an entry in the AWS Cross Assume Role Params table for the role created in the Master account. Click on “Discover Datacenters” in the Related Links. If the discovery is successful then we are good to go.

Step-3: Member Account Configurations : (Account-C)

Login to the Member account on the AWS console. Need IAM role as shown below. You might notice that this is the same ARN that was used in the policy created in the Master account.

Create an entry for member account(account-C) in the Service Accounts table (cmdb_ci_cloud_service_account) Add an entry for assume role created in member account(account-C) in AWS Org Assume Role Params table. If you are using an instance prior to Paris Patch 5, then please add the full ARN in the Access Role Name field in the AWS Org Assume Role Params table. An entry should be added to this table only if you are using Custom role. Don’t add any entry if you are using “OrganizationAccountAccessRole”.

Click on “Discover Datacenters” in the Related Links. If the discovery is successful then you are good to go.

Step-4: Create a discovery schedule for the Master account that will discover all the members using “ Discovery Manager ” USE CASE - 2: DISCOVERY WITHOUT CREDENTIALS (CREDENTIAL-LESS DISCOVERY)

In order to perform AWS Member to Master cloud discovery using Accessor account without credentials, Service-now implements the concept of “ Assume an AWS role for temporary Cloud Discovery credentials ”.

Step-1: Accessor Account Configurations : (account-A)

AWS Side Configurations Login to Accessor account (account-A) on AWS console. Spin up an EC2 instance and attach an IAM role to it. Ex: “MemberRole”. The IAM role configurations are as follows : (MemberRole)

Please ensure you Create a ReadOnlyAccess policy and attach it to the newly created IAM role.

Once you are done with the IAM role configurations, set up a MID server on the EC2 instance and point it to your service-now instance. Instance Side Configurations On the service-now instance, add “mid.aws.instance_profile_name” to the mid server configuration parameters. The value of this configuration parameter is the IAM role attached to the EC2 instance(just the role name not the full arn). Create an entry for accessor account(account-A) in the Service Accounts table (cmdb_ci_cloud_service_account) . Also, create an entry for the Parent account if it exists. Click on “Discover Datacenters” in the Related Links. If it is completed successfully, then proceed to further steps. Otherwise re-check your configurations.

Step-2: Master account configurations : (account-B)

AWS Side Configurations: Login to Master account on AWS console. Need IAM role as shown below. You might notice that this is the same ARN that was used in the policy created in the accessor account.

Instance Side Configurations : The Master account configuration in Service Account(cmdb_ci_cloud_service_account) table is as follows Add an entry in the AWS Cross Assume Role Params(cloud_service_account_aws_cross_assume_role_params) table for role created in Master account. Click on “Discover Datacenters” in the Related Links. If the discovery is successful then we are good to go. Step-3: Member account configurations : (Account-C) Refer to Step-3 of Use case 1

Step-4: Create a discovery schedule for the Master account that will discover all the members using “Discovery Manager” Refer to Step-4 of Use case 1