AWS Management Tools Blog

How to install and configure the AWS Service Catalog Connector for ServiceNow

(Note: This post was updated October 17, 2018)

Introduction

To help customers integrate provisioning secure, compliant, and pre-approved AWS products into their ServiceNow service catalog/portal, AWS introduces the AWS Service Catalog Connector for ServiceNow.

AWS Service Catalog Connector for ServiceNow synchronizes AWS Service Catalog portfolios and products with the ServiceNow Service Catalog to enable ServiceNow users to request approved AWS products via ServiceNow.

Earlier this year, AWS introduced the Connector for ServiceNow. Key features of the latest Connector for ServiceNow version 1.5.1 release include the ability to:

  • Render AWS Service Catalog products in the ServiceNow Portal page.
  • Enable multi-account support.
  • Request update – against an existing AWS Service Catalog product provisioned in ServiceNow.
  • Validate AWS Regions and Identities associated to syncing AWS and ServiceNow.
  • Sync product details in the My Asset/CMDB view.

In this blog post, I show you how to install, upgrade, and configure the AWS Service Catalog Connector for ServiceNow version 1.5.1

Background

AWS Service Catalog allows you to centrally manage commonly deployed AWS services and provisioned software products. It helps your organization achieve consistent governance and compliance requirements, while enabling users to quickly deploy only the approved AWS services they need.

ServiceNow is an enterprise service management platform that places a service‑oriented lens on the activities, tasks, and processes that make up day‑to‑day work life to enable a modern work environment. ServiceNow Service Catalog is a self-service application that end users can use to order IT services based on request fulfillment approvals and workflows.

Getting started

First you need to make sure that you have the necessary permissions in your AWS account and ServiceNow instance prior to installing the AWS Service Catalog Connector for ServiceNow.

Important Note: This blog will use the phrase UPG-IN to indicate  upgrade instructions for customers currently on earlier versions of the Connector for ServiceNow scoped application.

AWS prerequisites

To get started you need an AWS account to configure your AWS portfolios and products. Refer to Setting Up for AWS Service Catalog for more details.

For each AWS account, the Connector for ServiceNow also requires two AWS Identity and Access Management (IAM) users and two IAM roles:

  • An IAM user to sync AWS portfolios and products to ServiceNow Service Catalog items.
  • An IAM role configured as an AWS Service Catalog end user and assigned to each Service Catalog portfolio
  • An IAM end user to “assume” the previous end user role that has a baseline of permissions to provision AWS services in the ServiceNow Service Catalog. This ServiceNow end user will be linked to the end user role in AWS.
  • An IAM launch roleused to place baseline AWS service permissions into the AWS Service Catalog launch constraints. Configuring this role enables segregation of duty through provisioning product resources on behalf of the ServiceNow end user.

Appendix 1 Baseline Permissions, at the end of this post, details the initial permissions setup actions. The baseline permissions enable an end user to provision the following AWS services: Amazon Simple Storage Service (Amazon S3), and Amazon Elastic Compute Cloud (Amazon EC2). To allow end users to provision AWS service beyond the baseline permissions, you will need to include the additional AWS service permissions to the launch role.

ServiceNow prerequisites

In addition to the AWS account, you also need a ServiceNow instance to install the ServiceNow Connector scoped application. The initial installation should occur in either an enterprise sandbox or a ServiceNow Personal Developer Instance (PDI), depending on your organization’s technology governance requirements. The ServiceNow administrator needs the admin role to install the Connector for ServiceNow scoped application.

Configure AWS Service Catalog

Now that you have created two IAM users with baseline permissions in each account, the next step is to configure AWS Service Catalog. In this section you will configure Service Catalog to have a portfolio that includes an Amazon S3 bucket product. Please use the following Amazon S3 template link here: Creating an Amazon S3 Bucket for Website Hosting for your preliminary product. Copy and save the S3 template to your device.

AWS Service Catalog configuration consists of the following sets of steps:

    1.  Creating a Service Catalog Portfolio
      Open the AWS Management Console and navigate to the AWS Service Catalog console. On the Create Portfolio page create a portfolio. After a portfolio is created, add the S3 bucket to that portfolio.
    2. Creating a Service Catalog Product
      • In the AWS Service Catalog console, on the Upload new product page,  enter product details. -For Select template, choose the S3 bucket CloudFormation template saved to your device in a previous step.
      • Set Constraint type to   for the product that you just created with the SCConnectLaunch role in the baseline permissions (see Appendix 1). Click here for additional launch constraint instructions.
        Reminder Note: The AWS configuration design requires each AWS Service Catalog Product to have a launch constraint. Failure to follow this step may result in an “Unable to Retrieve Parameter” message within ServiceNow Service Catalog.
      • Add the SnowEndUser IAM role to the AWS Service Catalog portfolio. Click here for additional Grant Access to Users instructions.

Your AWS Service Catalog configuration should look similar to the following:

SCConnect-1stAWSStorage

After configuring IAM and AWS Service Catalog, the AWS setup for the integration is complete. Review the steps we discussed earlier to validate AWS setup instructions.

Configure ServiceNow

Now that you completed the AWS IAM and AWS Service Catalog configurations, the next configuration area to setup is ServiceNow. High-level installation tasks within ServiceNow include:

  • UPG-IN: Clear the ServiceNow Platform Cache
  • Upload and Commit AWS Service Catalog Connector for ServiceNow “update set.” The update set contains the AWS Service Catalog scoped app that is needed to configure the synchronization between AWS console and the ServiceNow platform.
  • Configure ServiceNow platform system admin components
  • Configure AWS Service Catalog scoped app

Appendix 2, Configure ServiceNow (at the end of this post) details the ServiceNow configuration setup actions.

Validate configurations

You are now ready to validate the AWS Service Catalog Connector for ServiceNow installation procedures. Log into your ServiceNow instance as the end user (for example. Abel Tuter). Type “Service Catalog” in the navigation filter and click on Service Catalog. The standard user interface view displays the AWS Service Catalog category as follows:

AWSSCStorageNSNow

I.        Ordering a Product

  1. Select the AWS Service Catalog S3 Storage product to provision.

AWSSCStorageOrderForm

  1. Fill in the product request details including product name, parameters and tags.
  1. Choose Order Now to submit the ServiceNow request and provision AWS Service Catalog product.

After the product is provisioned by AWS Service Catalog, a short time will be required for a periodic synchronization job to update the status of the product on the form (up to one minute). You will receive an order status similar to the one shown in the following screenshot:

SCStorageOrderStatus

II.      Viewing provisioned products

Go to My Assets to view your request. To view the Product, personalize the list view to show the associated Configuration Item:

  1. Choose the “Settings” cogwheel in the header row of the table of asset requests
  2. Select ” Configuration item (configuration_item) ” and add it to the view by pressing the “>” button. Move configuration item about “Request”:

PersonalizeListColumns

This means the configuration item (the product that was ordered) shows in the list of assets. See example of storage ordered:

  • Choose the product Configuration Item.

  • View the Outputs for the provisioned Product in the Outputs tab of the form.

  • View the history of the provisioning of the product in the Product Events tab of the form.

You can also go to the AWS resources provisioned (in this example, an Amazon S3 bucket) to validate.  Log into the AWS Console, navigate to Amazon S3, and choose the bucket.

 

Additional configurations: Operational actions and service portal

Connector for ServiceNow version 1.5.1 includes additional operational actions and ServiceNow Service Portal features. The AWS Service Catalog Connector for ServiceNow Installation_v1.5.1 document includes two sections to describe these details. Section 4, Operational Actions, details three operational actions on provisioned AWS products 1) Sync Products, 2) Request Termination, and 3) Request Update. Section 5, ServiceNow Service Portal, details the ability to order AWS Service Catalog products through the ServiceNow Service Portal using the ServiceNow Service Catalog and Order Something views.

Conclusion

Your preliminary AWS Service Catalog Connector for ServiceNow installation is complete. The benefits of this connector are to 1) enable developers to request and build services on AWS–reducing time to market 2) enable products to adhere to compliance/security requirements 3) accelerate cloud adoption. For questions on the AWS Service Catalog Connector for ServiceNow installation, email aws-sc-servicenow-issues@amazon.com.

About the Author

MaSonya ScottMaSonya Scott is an Atlanta, GA-based Sr. Business Development Manager with AWS Service Catalog. MaSonya enjoys helping AWS customers establish cloud operations frameworks (people, process, and tooling) to accelerate cloud adoption. In her free time, MaSonya enjoys comic book-based movies and beach vacations with her family.

 

Appendix 1: Baseline permissions

This section provides instructions on how to set up the baseline AWS users and permissions needed for the AWS Service Catalog (SC) Connector for ServiceNow. For each AWS account, the Connector for ServiceNow requires two IAM users and roles:

  • SC Sync User – IAM user to Sync AWS portfolios and products to ServiceNow catalog items (ServiceCatalogAdminReadOnly managed policy).
  • SC End User role – IAM role configured as an AWS Service Catalog end user and assigned to each Service Catalog portfolio.
  • SC End User – Enables Connector for ServiceNow to provision AWS products by assuming a role that contains the trust relationship with the account and policies needed for the end user privileges in AWS Service Catalog.
  • SCConnect Launch role – IAM role used to place baseline AWS service permissions into the AWS Service Catalog launch constraints. Configuring this role enables segregation of duty through provisioning product resources on behalf of the ServiceNow end user. The SCConnectLaunch role baseline contains permissions to ec2and S3 services. If your products contain more AWS services, you will need to either include those services to the SCConnectLaunch role or create new launch roles.

I. Create SC Sync User

The following section details the steps to create the SC Sync User and associate the appropriate IAM permission. To perform this task, you need IAM permissions to create new users.

  1. Create a sync user (that is, SCSyncUser) using Creating an IAM User in Your AWS Account instructions. The user needs programmatic and AWS Management Console access to follow the Connector for ServiceNow installation instructions.

create sync user

  1. Set permissions for your sync user (SCSyncUser). Choose Attach existing policies directly and select the ServiceCatalogAdminReadOnlyAccess policy.

set permissions

  1. Review and Create User.
  1. Note the Access and Secret Access information. Download the .csv file that contains the user credential information.

II. Create SC End User

The following section details the steps to create the SC End User and associate the appropriate IAM permission. To perform this task, you need IAM permissions to create new users.

UPG-IN Note: The ServiceCatalogServiceNowAdditionalPermissions AWS policy is no longer needed for the Connector for ServiceNow. Proceed to the Create a SnowEndUser role step.

  1.  Create a role for the ServiceNow end user to assume (such as SnowEndUser).
  • Add the following permissions (policies) to the role: AWSServiceCatalogEndUserFullAccess
  •  Create a trust relationship on the SnowEndUser role to the account. Place the following text into the Trust Relationship:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789123:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

 

Note: Replace the number string for the ARN in italics with your account information.

replace arn

 

  1. Create a Policy called StsAssume-SC. Place the following text in the JSON editor.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam:: 123456789123:role/SnowEndUser"
        }
    ]
}

Note: Replace the number string for the ARN in italics with your account information.

stsassumesc policy

  1.  Create a user (such as SCEndUser) using Creating an IAM User in Your AWS Account instructions. The user needs programmatic and AWS Management Console access to follow the ServiceNow Connector installation instructions.

create a user

Attach the assume policy (StsAssume-SC) to your end user (SCEndUser). Choose Attach existing policies directly and select StsAssume-SC.

attach assume policy to user

  1. Review and Create User.
  1. Note the Access and Secret Access information. Download the csv file that contains the user credential information.

III. Create SCConnectLaunch role

The following section details the steps to create the SCConnectLaunch role. This role is used to place baseline AWS service permissions into the Service Catalog launch constraints. Choose Launch Constraints for more information.

  1.  Create the AWSCloudFormationFullAccess Policy.
  • Choose create policy and then paste the following in the JSON editor:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
            "cloudformation:DescribeStackResource",
            "cloudformation:DescribeStackResources",
            "cloudformation:GetTemplate",
            "cloudformation:List*",
            "cloudformation:DescribeStackEvents",
            "cloudformation:DescribeStacks",
            "cloudformation:CreateStack",
            "cloudformation:DeleteStack",
            "cloudformation:DescribeStackEvents",
            "cloudformation:DescribeStacks",
            "cloudformation:GetTemplateSummary",
            "cloudformation:SetStackPolicy",
            "cloudformation:ValidateTemplate",
            "cloudformation:UpdateStack",
            "s3:GetObject"
            ],
            "Resource": "*"
        }
    ]
}

Create the AWSCloudFormationFullAccess Policy

 

  1. Create the SCConnectLaunch role. Assign the trust relationship to AWS Service Catalog.
  • Assign the trust relationship to AWS Service Catalog.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "servicecatalog.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

  • Attach the relevant policies to the SCConnectLaunch role. Attach the following baseline IAM policies:
    • AmazonEC2FullAccess (AWS managed policy)
    • AmazonS3FullAccess (AWS managed policy)
    • AWSCloudFormationFullAccess (custom managed policy)

The SCConnectLaunch role step is completed when you have the baseline policies as shown in the following screenshot:

SCConnectLaunch role step completed

SCConnectLaunch complete 2

Appendix 2: Configure ServiceNow

This section provides instructions on how to configure the ServiceNow instance for the AWS Service Catalog Connector for ServiceNow.

Now that you completed the AWS Identity and Access Management (IAM) and AWS Service Catalog configurations, the next component area to set up is ServiceNow. High-level installation tasks within ServiceNow include:

  • UPG-IN: Clear the ServiceNow Platform Cache
  • Upload and Commit Connector for ServiceNow “Update Set”
  • Configure ServiceNow Platform System Admin Components
  • Configure Connector for ServiceNow Scoped App – AWS Service Catalog
    • Accounts (Based on two AWS users/account in phase I)
    • Sync via Scheduled Jobs (AWS and ServiceNow)
    • Identities (link the AWS end user to a ServiceNow role permission)
    • Associate ServiceNow role to ServiceNow end user/group

I.        UPG-IN: Clear the ServiceNow Platform Cache
Prior to installing the AWS Service Catalog scoped app, we recommend that you clear the ServiceNow platform cache by typing in the following URL: https://<InsertServiceNowInstanceNameHere>/cache.do

Note: Make sure you are installing the update set in a Non-Production/sandbox environment. Consult a ServiceNow system administrator if you need approval to clear the ServiceNow platform cache.

II.      Installing ServiceNow Connector Scoped Application

The AWS Service Catalog Connector for ServiceNow is released as a conventional ServiceNow scoped application via an ServiceNow Update Set. ServiceNow update sets are code changes to the out-of-the-box platform and enable developers to move code across ServiceNow instance environments. The Connector for ServiceNow update set is available to download in the ServiceNow store. For users installing the update set on a ServiceNow Personal Developer Instance (PDI), please download the connector from here.

The Connector for ServiceNow version 1.5.1 update set may be applied to a “Jakarta,” “Kingston,” or “London” platform release of ServiceNow.

  1. Obtain ServiceNow instance
    You need a ServiceNow instance to install the connector update set. If you need a ServiceNow instance do the following:
  • Choose Obtain ServiceNow PDI for more instructions within the ServiceNow Developer program.
  • Create ServiceNow developer program credentials. Choose request instance and select the ServiceNow release as the following shows.

  • Capture your instance details including URL, administrative ID, and temporary password credentials.
  1. Activate User Criteria Scoped API plugin.
  • Type Plugins in the navigation pane. For Name, type User Criteria.

  • Choose User Criteria Scoped API and then choose Activate.

  1. Download AWS Service Catalog Connector from the ServiceNow Store.
  • Download the AWS SC Connector for ServiceNow scoped app from the ServiceNow store.
  • Log into your ServiceNow instance specified in the ServiceNow store. You need to log in as the system administrator (user with the ServiceNow admin role associated). You will see the ServiceNow standard user interface view.

  1. Install the Update Set
  • Log in to the instance as the system administrator (user with the ServiceNow admin role associated).
  • In the navigator panel type “Update Sets” and select Retrieved Update Sets from the results.
  • Select Import Update Set from XML on the page and upload the release XML file.

  • Select the AWS Service Catalog Connector for ServiceNow update set.
  • Choose Preview Update Set, which will make ServiceNow validate the connector update set.
  • Choose Update and the ServiceNow form will update to the following view:
  • Choose Commit Update Set to apply the update set and create the application. The Update Set Commit procedure should complete 100%.

III. Configure ServiceNow Platform System Admin Components

To enable the AWS Service Catalog Connector for ServiceNow scoped application named AWS Service Catalog, the system admin will need to configure specific platform tables, forms, and views.

UPG-IN Note: The Enable permissions on ServiceNow Platform tables (User Criteria Catalog Variable Set)are no longer needed for the Connector for ServiceNow.  Proceed to the set up administrator privileges step.

  1. Set up application administrator privileges
    The AWS Service Catalog scoped app comes with two ServiceNow roles that enable access to configure the application, so that system admins can grant one or more users privileges to administer the application without having to open up full sysadmin access to them. The following table explains the two roles:

roles table
These roles can be assigned either to individual users or both to one administrator user. As the sysadmin user:

  • Type “Users” in the navigator and select System Security – Users.
  • Select a user to grant one or both previous roles (such as admin) to. You can also Create a User.
  • Choose Edit on the Roles tab of the form.
  • Filter the Collection of roles by the prefix “x_”.
  • Choose from x_126749_aws_sc_account_admin and/or x_126749_aws_sc_portfolio_manager and add them to the user.
  • Choose Save.
  1. Add AWS Service Catalog to the ServiceNow Service Catalog categories
  • Navigate to Self Service | Service Catalog and select the Add content icon (top right): add content
  • Select the AWS Service Catalog Product entry. Add it to your catalog home page by choosing the first Add Here link on the second row of the selection panel at the bottom of the page. add here
  1. Add a Change Request Type

UPG-IN: Customers on previous AWS Service Catalog scoped app releases need to first remove the AWS Product Termination change request typebefore proceeding to creating a new change request type.

You need to add a new change request type called AWS Provisioned Product Event for the scoped application to trigger an automated change request in Change Management.

  • Open an existing change request.
  • Right-click on Type and select Show Choice List. Note: Some Mac users may experience trouble accessing Choice List  without a mouse device

 show choice list

  • Choose New and fill in the following fields.

         Table – Change Request

         Label – AWS Provisioned Product Event

         Value – AWSProvisionedProductEvent

         Sequence – pick the next unused value

  • Submit the form.

IV. Configuring AWS Service Catalog Connector Scoped Application – AWS Service Catalog

Having installed and configured the AWS Service Catalog Connector for ServiceNow in the previous lab instructions, you need to configure the AWS Service Catalog scoped application and applicable roles:

  1. Create a ServiceNow role called “order_aws_sc_products”. This role is granted to any users with permission to order AWS Service Catalog products: create role
  2. Grant roles to the following users:
    • System Administrator (admin): For simplicity in this work example, user admin is designated as the administrator of the AWS Service Catalog scoped application. He is granted (Roles->Edit) both of the administrative permissions from the adapter, x_126749_aws_sc_portfolio_manager and x_126749_aws_sc_account_admin (rather than assigning these to separate users). sysadmin role
    • Abel Tuter: The user abel.tuter is chosen as an illustrative end user. Abel requires the new role order_aws_sc_products to order products from AWS.

abel tuter

V. Configure Accounts

Log in as the System Administrator. In the AWS Service Catalog scoped app Accounts menu, create two accounts, one for sync and one for provisioning. Note, the names are chosen for convenience to make it easy to see which IAM user they correspond to (these are the users created in the AWS setup).

The snow-stsuser-account account has no Regions configured. The snow-sync-account user has one region configured, matching the Region where the AWS Service Catalog is defined (double click the text “Insert a new row” to add):

You will need to use the keys and secret keys from the users you created in AWS.

ServiceNow AWS Correlations chart

configure accounts

VI.  Validate Regions

You can now validate Regions to test if the ServiceNow snow-sync-account can connect to the AWS IAM SyncUser.

  1. Choose Accounts in the AWS Service Catalog scoped app
  2. Select snow-sync-account and choose Validate Regions.

A successful connection will result in the message “Successfully performed AWS Service Catalog SearchProductsAsAdmin action in each referenced Region.”

If the AWS IAM access key or secret access key are incorrect, you will receive the message similar to the following: “Error performing AWS Service Catalog SearchProductsAsAdmin action in one or more Regions:

us-east-1: The security token included in the request is invalid. Check that the access key and secret access key are correct.”

VII. Scheduled Jobs (Initial Manual Sync)

During the initial setup, manually execute the sync instead of waiting for the Scheduled Jobs to occur. To sync the accounts manually, do the following:

  1. Log in as System Administrator.
  2. Find Scheduled Jobs in the filter navigator panel.find scheduled jobs
  3. Search for job Sync all Accounts, select it, and choose Execute Now.

job sync all accounts

Note: If you do not see Execute Now in the upper left-hand corner, then click on Configure Job Definition. Execute Now will be visible.

VIII. Grant Access to Portfolios

Data will be visible in the AWS Service Catalog menus once the adapter’s scheduled synchronization job has run.
To grant access to AWS Service Catalog products in ServiceNow, you need to establish a link between the AWS SnowEndUser role discovered from the Sync All Scheduled Job and snow-stsuser-account entry created in the ServiceNow AWS Service Catalog scoped app.

  1. Choose the Identities module of the AWS Service Catalog scoped app.
  2. Select the ARN address for the AWS SnowEndUser role and assign it to Account snow-stsuser-account. (Double-click the cell in the Accountcolumn, or click the SCEndUser user name and edit the form presented.)

Role Grants is now available within the Identities Modules to conveniently associate the ServiceNow role order_aws_sc_products to the AWS SnowEndUser role identity.

  1. Choose New and enter the Role of order_aws_sc_products and the SnowEndUser identity.
  1. 4Choose the Submit button.

The Identities module will now have a view of the associated role:

You can now test the AWS Identity to determine if the ServiceNow end user with the order_aws_sc_products role can order an AWS Service Catalog product.

Choose the Test Authorization button shown in the AWS Identity module (see the previous screenshot).  If the test is successful, the message “Successfully performed SearchProducts action as arn:aws:iam::<AWS Account>:role/SnowEndUser”will be returned.

An unsuccessful test will return the message “Error using account…”

Given the set up above, Abel Tuter can now order products from AWS Service Catalog in ServiceNow.