1. Assume role into other accounts and pull-down credentials to discover all of their resources.

    Ans: London, Madrid, NY, Orlando only support AssumeRole from Master into Member. We are planning to add cross-account (Member to Member and more) access for AssumeRole in Paris.

  2. Pull member accounts without using master account credentials that have Administrator Level access.

    The credentials provided to the Master account must be an IAM user with a *minimum* of the following permissions:

    • Organizations:DescribeOrganization https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeOrganization.html
    • Organizations:ListAccounts https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListAccounts.html

      • To get *ALL* the perms required from the Pattern

        • Step through the Pattern Debugger for the "AWS Organizations" Pattern
        • We will see REST API calls to these AWS endpoints.
        • Then google for the names of the API calls.
        • Tell the customer to configure the perms assigned to the IAM user have creds for in the ServiceNow instance to have these perms.
        • Optionally, To prove this to the customer,
        • have them set up AWS CLI on the MID Server host (the machine where MID Server is running)
        • Execute the same commands via AWS CLI on the MID Server host
        • Make sure there are no 403 or permissions errors and all the members are returned
        • If this configuration is done, we should be able to make the "Refresh Member Accounts" UI action work without the full AdministratorAccess managed policy.

  3. How about the resources under the master and member accounts? Do we need to have any extra configurations for this?

    If having appropriate credentials configured either Permanent creds in discovery_credentials table or Temporary creds, either

    • via IAM instance profile ( supported in NY for Master (organization) or Discrete (non-org) )
    • via AssumeRole ( only Master=>Member is supported in NY)

      then these resources will be discovered, as long as the IAM Role or IAM User which the credential (temporary or permanent) is based on has permissions to see these resources.

  4. Below is a scenario of discovering resources with EC2 Instance profile.

    Let's say, customer

    • Has both discrete accounts and AWS organizations in their AWS ( Not sure if this would valid, but let's assume this is valid ).
    • Has EC2 instance profile configured with an IAM role and the MID server property: "mid.aws.instance_profile_name" is added.
    • Added master account, but without credentials on the instance.
    • In this scenario.

      • Would "EC2 instance profile configured with an IAM role" be sufficient to discover discrete accounts/master account and their resources.

        • Ans: It's either or here. The role which is the IAM Instance Profile is supposed to be associated with one account (is it the Master or a Discrete account?). If it is associated with the Master account, then it is sufficient to have just the IAM profile to discover all the resources in the Master's organization (the Master account + all Member accounts).

      • As we have the master account information available ( without credentials ), would "EC2 instance profile configured with an IAM role" sufficient to discover the member accounts and their resources.

        • Yes, as long as the cmdb_ci_cloud_service_account has the proper configuration for member accounts (parent_account reference column points to master account row and is_master_account=false/unchecked). Again, we are going to need a separate Cloud Discovery Schedule for each Account, regardless of whether it is Master, Member, or Discrete.
        • If only added the Master account to the instance, will have to do "Refresh Member Accounts" UI Action on the Master account record to populate the Member accounts before creating Discovery Schedules for Members.

      • Can discovery use EC2 instance profile configured with an IAM role to assume the role into member accounts or do we need to have credentials added on the master account

        • Yes, this is possible. No credentials needed for Master if using IAM Instance Profile with Role in Master Account.

  5. Any Example configuration on assume role? 

    Ans: Each customer environment is different. Every account would have various custom roles, policies, etc. Providing a generic configuration would be a tough task here. Would recommend to please check with your cloud engineering team for more specific configurations.

Additional Information



Article Information

Last Updated:2020-09-09 20:13:06