CDW: AWS_Cross Assume Role functionality is not working /* ---- Start of NowLLM generated content. Please verify for accuracy. ---- */ : AWS Cross Assume Role Functionality Not Working in CDW /* ------------------- End of NowLLM generated content. -------Description: Customers are experiencing issues with the AWS Cross Assume Role functionality in the Cloud Discovery (CDW) product. The problem is characterized by the test account validation failing with an error message stating "The credentials can't be used with the account ID provided Pattern name: Amazon AWS Service account" and from MID logs, it is observed that temporary credentials cannot be generated. The potential cause of the problem is not explicitly mentioned in the task information.Steps to Reproduce Instance details:Steps1.Login into the instance 2.Navigate to CDW ->cloud discovery->new discovery schedule3.Discover the AWS lior member account [ex: 810936647410] using credential .4.Once discovery is successful , navigate to new discovery schedule5.Discover the member account [834190521222] using accessor role [arn:aws:iam::834190521222:role/accessor-mem-mem-sri] and Select account for access as lior account.6.perform "Test account" validation.Result:Expected: AWS cross assume role should work without any issue.Actual: The test account validation is failing with an error "The credentials can't be used with the account ID provided Pattern name: Amazon AWS Service account" and from MID logs observed "Not able to generate the temporary credentials."Mid logs: 2024-10-23T10:30:22.943+0000 INFO (Worker-Interactive:HorizontalDiscoveryProbe-7873caeb2b1152105f7bfb466e91bf30) [MIDSystem:35] *** Script: AWSHostBuilder Class Not Found, or Run Failed. Make sure you have installed the latest discovery patterns store release. TypeError: Cannot read property "length" from null2024-10-23T10:30:22.949+0000 INFO (Worker-Interactive:HorizontalDiscoveryProbe-7873caeb2b1152105f7bfb466e91bf30) [MIDSystem:35] *** Script: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> in cloudApiExecute2024-10-23T10:30:23.989+0000 INFO (Worker-Interactive:HorizontalDiscoveryProbe-7873caeb2b1152105f7bfb466e91bf30) [StandardCredentialsProvider:436] 5 Credentials from instance loaded2024-10-23T10:30:23.990+0000 INFO (Worker-Interactive:HorizontalDiscoveryProbe-7873caeb2b1152105f7bfb466e91bf30) [MIDCredentialsConfigProvider$MyEventListener:95] com.service_now.mid.creds.provider.standard.StandardCredentialsProvider reloaded2024-10-23T10:30:23.990+0000 WARN (Worker-Interactive:HorizontalDiscoveryProbe-7873caeb2b1152105f7bfb466e91bf30) [CloudServiceAccountCredentialUtil:261] resolveCredentialForAccount(): Inconsistent state: could not locate credential for service account with id '834190521222' even though credential sys_id of 'null' was found.2024-10-23T10:30:23.990+0000 INFO (Worker-Interactive:HorizontalDiscoveryProbe-7873caeb2b1152105f7bfb466e91bf30) [RhinoExceptions:85] Couldn't decipher the stack trace resulting from the following JavaScriptException:2024-10-23T10:30:23.990+0000 ERROR (Worker-Interactive:HorizontalDiscoveryProbe-7873caeb2b1152105f7bfb466e91bf30) [RhinoExceptions:86] com.snc.sw.exception.CommandFailureException: Cloud credentials are missing for https://organizations.us-east-1.amazonaws.com . Not able to generate the temporary credentials. Please check the mid server logs for exact error. (script_include:AwsApiCommand; line 209)org.mozilla.javascript.JavaScriptException: com.snc.sw.exception.CommandFailureException: Cloud credentials are missing for https://organizations.us-east-1.amazonaws.com . Not able to generate the temporary credentials. Please check the mid server logs for exact error. (script_include:AwsApiCommand; line 209)at org.mozilla.javascript.Interpreter.interpretLoop(Interpreter.java:1164)at script(script_include:AwsApiCommand:209)at org.mozilla.javascript.Interpreter.interpret(Interpreter.java:904) /* ---- Start of NowLLM generated content. Please verify for accuracy. ---- */:1. Login into the instance.2. Navigate to CDW >cloud discovery>new discovery schedule.3. Discover the AWS lior member account [ex: 810936647410] using credential.4. Once discovery is successful, navigate to new discovery schedule.5. Discover the member account [834190521222] using accessor role [arn:aws:iam::834190521222:role/accessormemmemsri] and Select account for access as lior account.6. Perform Test account validation./* ------------------- End of NowLLM generated content. ------------------- */WorkaroundThis KB article is outlined to share the solution where the customers are facing an issue with AWS Cross-Account Assume Role functionality not working. This functionality is crucial for securely accessing resources across different AWS accounts, and its failure can significantly impact the customer's ability to manage their cloud infrastructure effectively. The article aims to provide a comprehensive solution to resolve this issue, ensuring that customers can seamlessly assume roles across accounts and maintain the security and integrity of their AWS environment. This solution will be available from the Zurich release onwards. Till then, the team can refer to this KB article to provide workarounds to customers, ensuring they can effectively manage their AWS environment until the solution is officially implemented. This temporary measure will help maintain the security and integrity of their cloud infrastructure, allowing them to continue assuming roles across accounts seamlessly.We have to make modifications to the script include file named CloudDiscoveryScheduleConfig. Specifically, we need to implement two crucial changes to this file, as outlined below. 1. In the above file, specifically within the initializeValidateAccount and getServiceAccountDetailsFromGR functions, we have a handling mechanism for setting the existingCredentialsRef value. This handling is crucial for ensuring that the credentials reference is correctly set based on the value of discovery_credentials. If discovery_credentials is either the string 'null' or the actual value null, then we set existingCredentialsRef to an empty string. Otherwise, we set it to the actual value of discovery_credentials. This ensures that the credentials reference is properly initialized and validated, which is essential for the subsequent processing of service account details. existingCredentialsRef = (existingAccountGR.getValue('discovery_credentials') == 'null' || existingAccountGR.getValue('discovery_credentials') === null) ? "" : existingAccountGR.getValue('discovery_credentials');discoveryCredentials: (serviceAccountGR.getValue('discovery_credentials') === null || serviceAccountGR.getValue('discovery_credentials') == 'null' ) ? '' : serviceAccountGR.getValue('discovery_credentials'),2. In the above file, specifically within the initializeValidateAccount, we have a code handling in the code "Select Account" scenario. At the end, we need to handle a sleep condition to synchronize between MID and Instance, ensuring that both systems are aligned and up-to-date before proceeding. This synchronization is crucial to prevent any discrepancies or inconsistencies that may arise from unsynchronized data, thereby maintaining the integrity and security of the system.new MIDServerSystemCommandUtil().issueSystemCommandToSpecificMID('service_account_reload', midServer, [{ "name": "skip_debounce", "value": "true" }]); gs.sleep(2000);These two critical changes to the script include file will help customers effectively avoid the AWS Cross-Account Assume Role functionality failure, ensuring seamless and secure access to resources across different AWS accounts. By implementing these modifications, customers can maintain the integrity and security of their cloud infrastructure, allowing them to continue assuming roles across accounts without any disruptions. /* ---- Start of NowLLM generated content. Please verify for accuracy. ---- */: Not enough information available for this section./* ------------------- End of NowLLM generated content. ------------------- */Related Problem: PRB1819892