Notifications

992 views

Description

AWS member account discovery is completing, but no cloud resources are discovered.

Release or Environment

London and Madrid

Note : New york release now leverages fully configurable AssumeRole request parameters as dictated by the AWS Security Token Service AssumeRole API Action.

https://docs.servicenow.com/bundle/newyork-it-operations-management/page/product/discovery/concept/temp-credentials-generated-by-aws.html#temp-credentials-generated-by-aws

https://docs.servicenow.com/bundle/newyork-it-operations-management/page/product/cloud-management-v2/concept/assume-aws-roles.html#assume-aws-roles

Cause

AWS Organizations discovery is introduced in London. There are some limitations on this product in London and Madrid releases, since it was the inaugural support for this feature.

Resolution

In order for cloud discovery to work with AWS Organizations so that Member Account cloud resources can be discovered without needing to supply Member Account credentials, a few conditions must be met in your configuration of the accounts within AWS:

ServiceNow Instance :

  • Discovery credentials --> If this is a member account of an AWS Organization and you have configured the associated master account with a credential, leave this blank.

AWS :

  • In the AWS Member Account there needs to be a role present exactly named “OrganizationAccountAccessRole”
  • In the AWS Member Account there needs to be a trusted relationship between the aforementioned role and the AWS Master Account.
  • In the AWS Member Account the role must have attached an “AdministratorAccess” policy which grants “*” Access to “*” Resource.

 

Keep in mind that this is the default setup when creating Member Accounts in AWS Organizations.  If you accept the default configuration when setting up your AWS Member Accounts, no special action is required.

Article Information

Last Updated:2020-03-11 12:39:34
Published:2020-03-11