AWS Master Account

The master account corresponds to the Organization in AWS. You can identify any cloud service account in your instance as a master account only if you already configured the account in AWS as an Organization and you already associated other accounts under the Organization. 

Requirement: Amazon Technical Account confirmed the Service account should use a master account for Discovery and then use STS with specific roles for each member.

Doc: Managing the AWS Accounts in Your Organization

Minimum Permissions: To access an AWS account from any other account in your organization, you must have the following permission: sts: AssumeRole – The Resource element must be set to either an asterisk (*) or the account ID number of the account with the user who needs to access the new member account" 

Symptoms

Discovery of AWS member accounts using the credentials of the parent account is failing with below error

AWS was not able to validate the provided access credentials (Service: AmazonEC2; Status Code: 401; Error Code: AuthFailure; Request ID: xxxxxx-xxxx-xxxxx

The credentials for the parent account of the AWS organization work successfully and can discover the parent account. However, obtaining a temporary token via Amazon STS for a member account using the parent account credentials will be not working.>

Release

All releases 

Environment

Instance activated with CMPv2 plugin and configured with AWS Master Service Account.

Cause

When discovering member accounts, the AWS discovery credential and master service accounts are used to generate a temporary token. In order to generate this token, the master account needs to have the "AssumeRole" permission.

Fix

Ensure the "OrganizationAccountAccessRole" is available and that has the "AssumeRole" permission.

Additional Information

Can Discovery/MID Server be configured to use another role other than OrganizationAccountAccessRole?

Earlier, ServiceNow SMEs and DEV Engineers worked to provide the solution for this behavior and approached a workaround, unfortunately, the STS override workaround isn't going to be feasible. 

Additionally, and also for security, we don't have any methods available to use from the MID server level for decrypting passwords (MID servers store passwords in memory for this reason). So we cannot manually retrieve and decrypt credentials to make this function call (which would also be a security concern). 

All of this is to say that we do not have a workaround for this issue. think of trying to get around it would be to customize the default OrganizationAccountAccessRole to your desired role and then create a new custom role with the admin rights that you would want your users to use as your "administrative link".