Service Graph connector for GCP Vertex AI - Setup Instructions - Support and Troubleshooting

Service Graph connector for GCP Vertex AI - Setup Instructions Summary .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } This KB article describes the steps to set up the GCP environment. With this setup, Service Graph Connector for GCP Vertex AI will securely integrate with GCP and get CI data into the CMDB. A detailed documentation of the overall flow and various components used is described in docs.servicenow.com and Community articles.

Release .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } AI Service Graph Connector for GCP Vertex AI v1.0.0

Instructions .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Summary:

Create a ServiceNow Service Account One Service Account for the entire organization. Multiple Service Accounts for the organization. SnowOrgRole - IAM role SnowProjRole - IAM Role Binding Roles to Service Account JKS File Creation API List 1. Create ServiceNow Service Account

For the ServiceNow SGC-GCP to securely integrate with the GCP environment, a Service Account is created. In GCP Project, a Service Account is created. A Service Account may have access to all projects or a select group of projects, depending on the security configuration. You may need to create one or more Service Accounts and register security credential files in your ServiceNow instance, depending on the setup. A Service Account is created by running the command below.

gcloud iam service-accounts create snow-sgc-sa --project=PROJECT_ID

Where " snow-sgc-sa " is the name of the Service Account, you may choose a different name in accordance with your company's naming conventions. Replace "PROJECT ID" to the name of the project. The service account created may look like snow-sgc-sa@example.iam.gserviceaccount.com ; where the example is the project name .

1.1 One Service Account for entire organization

This configuration grants restricted read-only access to all of the organization's projects to a single Service Account that is created in a project.

1.2 Multiple Service Accounts for the organization

In this arrangement, a Service Account only has restricted visibility and access to a portion of the projects. This restriction can be implemented via Service Perimeter or an IAM Role access. In this case, you must set up one Service Account per perimeter and grant it the necessary IAM rights for the assigned projects. The following is an illustration of a service perimeter created using groups of projects.

GCP Folder GCP Project Service Perimeter Service Account Folder 1 Project -1 Perimeter-1 Service Account 1

snow-perimeter1@PROJECT_ID.iam.gserviceaccount.com

Project -2 Project -3 Folder 2 Project -4 Perimeter-2 Service Account 2

snow-perimeter2@PROJECT_ID.iam.gserviceaccount.com

Project -5 Project -6 Project -7# Perimeter-3 Service Account 3

snow-perimeter3@PROJECT_ID.iam.gserviceaccount.com

Folder 3 Project -8 Project -9 Project -10 #Project -7 belongs to Folder 2, but it is bound to Perimeter-3.

2. SnowOrgRole - IAM role

2.1 One Service Account for the entire organization

In this setup, you need to create only one role 'SnowOrgRole' which will have the below list of permissions. These are read-only specific roles to specific APIs, refer to the 'API List & IAM Permission' for API to IAM mapping list.

resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.list aiplatform.user cloudtrace.user

gcloud command to create 'SnowOrgRole' gcloud iam roles create SnowOrgRole --organization=ORGANIZATION_ID\ --permissions=resourcemanager.organizations.get,\ resourcemanager.projects.get,\ resourcemanager.projects.list,\ aiplatform.user,\ cloudtrace.user ,\

2.2 Multiple Service Account for the organization

In this scenario, we need to create two roles - SnowOrgRole and SnowProjRole .

The below list of IAM permissions is applicable only at the organization level with the role ' SnowOrgRole'.

resourcemanager.organizations.get gcloud command to create 'SnowOrgRole'

gcloud iam roles create SnowOrgRole --organization=ORGANIZATION_ID\ --permissions=resourcemanager.organizations.get,\

3. SnowProjRole - IAM Role

This step can be skipped if you want to use " One Service Account for the entire organization ," since this role already has the necessary permissions.

Below IAM permissions should be created in each project.

resourcemanager.projects.get resourcemanager.projects.list aiplatform.user cloudtrace.user gcloud command to create 'SnowProjRole'

gcloud iam roles create SnowProjRole --project=PROJECT_ID\ --permissions=resourcemanager.projects.get,\ resourcemanager.projects.list,\ aiplatform.user,\ cloudtrace.user ,\

4. Binding Roles to Service Account

Binding the SnowOrgRole or SnowProjRole IAM role grants the Service Account the ability to make the necessary API calls.

4.1 Binding SnowOrgRole to Service Account:

You need to execute below commands if you have the ' One Service Account for entire organization ' or ' Multiple Service Accounts for the organization ' option.

gcloud organizations add-iam-policy-binding ORGANIZATION_ID --member=serviceAccount:snow-sgc-sa@example.iam.gserviceaccount.com --role=organizations/ORGANIZATION_ID/roles/SnowOrgRole

Note: snow-sgc-sa@example.iam.gserviceaccount.com should be replaced with your service account.

4.2 Binding SnowProjRole to Service Account(s):

The SnowOrg role should be bounded to each service account.

gcloud organizations add-iam-policy-binding ORGANIZATION_ID --member=serviceAccount:snow-sgc1-sa@example.iam.gserviceaccount.com --role=organizations/ORGANIZATION_ID/roles/SnowOrgRole

If you choose "Multiple Service Accounts for the organization," you should execute SnowOrgRole on each project.

Syntax:

gcloud projects add-iam-policy-binding PROJECT_ID --member=serviceAccount:snow-sgc-sa@PROJECT_ID.iam.gserviceaccount.com --role=projects/PROJECT_ID/roles/SnowProjRole

For instance, if you planned to grant access to Projects 1, 2 and 3 using Service Account 1 - snow-perimeter1@PROJECT ID.iam.gserviceaccount.com - you would need to create three bindings.

gcloud projects add-iam-policy-binding project1 --member=serviceAccount:snow-sgc1-sa@project1.iam.gserviceaccount.com --role=projects/project1/roles/SnowProjRole

gcloud projects add-iam-policy-binding project2 --member=serviceAccount:snow-sgc1-sa@project1.iam.gserviceaccount.com --role=projects/project2/roles/SnowProjRole

gcloud projects add-iam-policy-binding project3 --member=serviceAccount:snow-sgc1-sa@project1.iam.gserviceaccount.com --role=projects/project3/roles/SnowProjRole

5. JKS File Creation

Refer JKS Creation steps in following DOC

6. API List & IAM Permission

# API Required IAM Permission Purpose 1 https://cloudresourcemanager.googleapis.com/v1/projectsfilter=parent.type:organization%20parent.id:

resourcemanager.projects.get, resourcemanager.projects.list, resourcemanager.organizations.get [Needed only If filtering projects using organization Id]

Get Project Details 5 https://{ {location}}-aiplatform.googleapis.com/v1/projects/{ {projectNumber}}/locations/{ {location}}/reasoningEngines

aiplatform.user

List Reasoning Engines information 7 https://cloudtrace.googleapis.com/v1/projects/ { {projectNumber}}/traces?startTime={ {loggingStartTime}}&endTime={ {loggingEndTime}}&pageSize=100&orderBy=start&filter=+span:invocation&view=COMPLETE

cloudtrace.user Get cloud trace details for reasoning engine invocation