AWS Non-Default Regions/Datacenters with IAM Policy (Master/Member Config)Issue details ServiceNow Cloud Discovery supports 4 methods of AWS Discovery with regular Credentials and also uses IAM Policy (Master/Member) along with Temporary Credentials. Amazon AWS Cloud DiscoveryCreating AssumeRole on AWS Console for AWS Management/Member DiscoveryAWS Organizations and Temporary CredentialsMEMBER TO MASTER DISCOVERY USING ACCESSOR ACCOUNT While the Discovery is successful using any of the above successful configuration, the AWS Non-Default Regions/Datacetnters might get successful with direct credentials, but Discovery fails with 401/403 Authentication/Authorization errors Example: ap-east-1 Datacenter fails with the below error even the IAM policy and Trusted relationship is working as expected for other Datacenters/Regions com.amazonaws.services.ec2.model.AmazonEC2Exception: AWS was not able to validate the provided access credentials (Service: AmazonEC2; Status Code: 401; Error Code: AuthFailure; Request ID: a373ba4c-0143-48a8-8f38-dc281684faaf) AWS Non-Default Regions/Datacenters List of non-default Regions/Datacenters Africa (Cape Town) af-south-1Asia Pacific (Hong Kong) ap-east-1Asia Pacific (Jakarta) ap-southeast-3Europe (Milan) eu-south-1Middle East (Bahrain) me-south-1 Cause of the issue ServiceNow CAPI/Patterns Discovery hit the global endpoint (sts.amazonaws.com) and expect it to be Valid for all AWS regions Solution In the member accounts using Non-Default Regions/Datacenters Open the IAM console. In the navigation pane, choose Account settings.If necessary, expand the Security Token Service (STS) section. In the first table next to the Global endpoint, the Region compatibility of session tokens column indicates Valid only in AWS Regions enabled by default. Choose Change.In the Change region compatibility of session tokens for global endpoint dialog box, select Valid in all AWS Regions.Then choose Save changes.