AWS Management Tools Blog

How to install and configure the AWS Service Catalog Connector for ServiceNow

Introduction

To help customers integrate provisioning secure, compliant, and pre-approved AWS products into their ServiceNow service catalog/portal, AWS introduces the AWS Service Catalog Connector for ServiceNow.

AWS Service Catalog Connector for ServiceNow synchronizes AWS Service Catalog portfolios and products with the ServiceNow Service Catalog to enable ServiceNow users to request approved AWS products via ServiceNow.

In this post, I show you how to install and configure the AWS Service Catalog Connector for ServiceNow.

Background

AWS Service Catalog allows you to centrally manage commonly deployed AWS services and provisioned software products. It helps your organization achieve consistent governance and compliance requirements, while enabling users to quickly deploy only the approved AWS services they need.

ServiceNow is an enterprise service management platform that places a service‑oriented lens on the activities, tasks, and processes that make up day‑to‑day work life to enable a modern work environment. ServiceNow Service Catalog is a self-service application that end users can use to order IT services based on request fulfillment approvals and workflows.

Getting started

First you need to make sure that you have the necessary permissions in your AWS account and ServiceNow instance prior to installing the AWS Service Catalog Connector for ServiceNow.

AWS prerequisites

To get started you need an AWS account to configure your AWS portfolios and products. Refer to Setting Up for AWS Service Catalog for more details.

For each AWS account, the Connector for ServiceNow also requires two AWS Identity and Access Management (IAM) users and two IAM roles:

  • An IAM user to sync AWS portfolios and products to ServiceNow Service Catalog items.
  • An IAM role configured as an AWS Service Catalog end user and assigned to each Service Catalog portfolio
  • An IAM end user to “assume” the previous end user role that has a baseline of permissions to provision AWS services in the ServiceNow Service Catalog. This ServiceNow end user will be linked to the end user role in AWS.
  • An IAM launch roleused to place baseline AWS service permissions into the AWS Service Catalog launch constraints. Configuring this role enables segregation of duty through provisioning product resources on behalf of the ServiceNow end user.

Appendix 1 Baseline Permissions, at the end of this post, details the initial permissions setup actions. The baseline permissions enable an end user to provision the following AWS services: Amazon Simple Storage Service (Amazon S3), and Amazon Elastic Compute Cloud (Amazon EC2). To allow end users to provision AWS service beyond the baseline permissions, you will need to include the additional AWS service permissions to the launch role.

ServiceNow prerequisites

In addition to the AWS account, you also need a ServiceNow instance to install the ServiceNow Connector scoped application. The initial installation should occur in either an enterprise sandbox or a ServiceNow Personal Developer Instance (PDI) depending on your organization’s technology governance requirements. The ServiceNow administrator needs the admin role to install the Connector for ServiceNow scoped application.

Configure AWS Service Catalog

Now that you have created two users with baseline permissions in each account, the next step is to configure AWS Service Catalog. AWS Service Catalog configuration consists of the following sets of steps:

  1. Creating an AWS Service Catalog product to launch a S3 bucket; To learn more about CloudFormation templates, click here.
  2. Creating an AWS Service Catalog Portfolio
  3. Creating an AWS Service Catalog Product

You need to ensure that the SnowEndUser role created in the baseline permissions (Appendix 1) is associated to the portfolio in the Users, Groups, Roles section. The SCConnectLaunch role is also required for launch constraints on each product.

Your AWS Service Catalog configuration should look similar to the following:

SCConnect-1stAWSStorage

 

After setting up AWS Identity and Access Management (IAM) and AWS Service Catalog, the AWS setup for the integration is complete. Please review the steps we discussed earlier to validate AWS setup instructions.

Configure ServiceNow

Now that you completed the AWS IAM and AWS Service Catalog configurations, the next configuration area to setup is ServiceNow. High-level installation tasks within ServiceNow include:

  • Upload and Commit AWS Service Catalog Connector for ServiceNow “update set.” The update set contains the AWS Service Catalog scoped app that is needed to configure the synchronization between AWS console and the ServiceNow platform.
  • Configure ServiceNow platform system admin components
  • Configure AWS Service Catalog scoped app

Appendix 2 Configure ServiceNow, at the end of this post, details the ServiceNow configuration setup actions.

Validate configurations

You are now ready to validate the AWS Service Catalog Connector for ServiceNow installation procedures. Log into your ServiceNow instance as the end user (for example. Abel Tuter). Type “Service Catalog” in the navigation filter and click on Service Catalog. The standard user interface view displays the AWS Service Catalog category as follows:

Select an AWS Service Catalog product to provision.

AWSSCStorageNSNow

AWSSCStorageOrderForm

Fill in the product request details including product name, parameters and tags.

Click Order Now to submit the ServiceNow request and provision AWS Service Catalog product. You will receive the order status as shown below:

SCStorageOrderStatus

Go to My Assets to view your request. To view the Product, personalize the list view to show the associated Configuration Item:

  1. Click the “Settings” cogwheel in the header row of the table of asset requests
  2. Select ” Configuration item (configuration_item) ” and add it to the view by pressing the “>” button. Move configuration item about “Request”:

PersonalizeListColumns

This means the configuration item (the product that was ordered) shows in the list of assets. See example of storage ordered:

MyS3Product

Choose the product Configuration Item.

SCProductS3view

Log into the AWS Console, navigate to the AWS Service Catalog, and choose the provisioned product list. The product details give the status of the product as follows:

OrderS3Blog

You can also go to the AWS resources provisioned (in this example, an Amazon S3 bucket) to validate.

S3BucketView

Conclusion

Your preliminary AWS Service Catalog Connector for ServiceNow installation is complete. The benefits of this connector are to 1) enable developers to request and build services on AWS–reducing time to market 2) enable products to adhere to compliance/security requirements 3) accelerate cloud adoption. For questions on the AWS Service Catalog Connector for ServiceNow installation, email aws-sc-servicenow-issues@amazon.com.

About the Author

MaSonya ScottMaSonya Scott is an Atlanta, GA-based Sr. Business Development Manager with AWS Service Catalog. MaSonya enjoys helping AWS customers establish cloud operations frameworks (people, process, and tooling) to accelerate cloud adoption. In her free time, MaSonya enjoys comic book-based movies and beach vacations with her family.

 

 

 

Appendix 1: Baseline permissions

This section provides instructions on how to set up the baseline AWS users and permissions needed for the AWS Service Catalog (SC) Connector for ServiceNow. For each AWS account, the Connector for ServiceNow requires two IAM users and roles:

  • SC Sync User – IAM user to Sync AWS portfolios and products to ServiceNow catalog items (ServiceCatalogAdminReadOnly managed policy).
  • SC End User role – IAM role configured as an AWS Service Catalog end user and assigned to each Service Catalog portfolio.
  • SC End User – Enables Connector for ServiceNow to provision AWS products by assuming a role that contains the trust relationship with the account and policies needed for the end user privileges in AWS Service Catalog.
  • SCConnect Launch role – IAM role used to place baseline AWS service permissions into the AWS Service Catalog launch constraints. Configuring this role enables segregation of duty through provisioning product resources on behalf of the ServiceNow end user. The SCConnectLaunch role baseline contains permissions to ec2and S3 services. If your products contain more AWS services, you will need to either include those services to the SCConnectLaunch role or create new launch roles.

I. Create SC Sync User

The following section details the steps to create the SC Sync User and associate the appropriate IAM permission. To perform this task, you need IAM permissions to create new users.

a. Create a sync user (that is, SCSyncUser) using Creating an IAM User in Your AWS Account instructions. The user needs programmatic and AWS Management Console access to follow the Connector for ServiceNow installation instructions.

create sync user

b. Set permissions for your sync user (SCSyncUser). Choose Attach existing policies directly and select the ServiceCatalogAdminReadOnlyAccess policy.

set permissions

c. Review and Create User.

d. Note the Access and Secret Access information. Download the .csv file that contains the user credential information.

II. Create SC End User

The following section details the steps to create the SC End User and associate the appropriate IAM permission. To perform this task, you need IAM permissions to create new users.

a. Create a Policy called ServiceCatalogServiceNowAdditionalPermissions. Enter the following code into the JSON editor:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1507210800000",
            "Effect": "Allow",
            "Action": [
                "servicecatalog:ListProvisioningArtifacts"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

b. Create a role for the ServiceNow end user to assume (such as SnowEndUser).

i. Add the following permissions (policies) to the role:

  • ServiceCatalogServiceNowAdditionalPermissions (created in the previous step)
  • AWSServiceCatalogEndUserFullAccess

ii. Create a trust relationship on the SnowEndUser role to the account. Place the following text into the Trust Relationship:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789123:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

 

Note: Replace the number string for the ARN in italics with your account information.

replace arn

 

c. Create a Policy called StsAssume-SC. Place the following text in the JSON editor.

 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam:: 123456789123:role/SnowEndUser"
        }
    ]
}

Note: Replace the number string for the ARN in italics with your account information.

stsassumesc policy

d. Create a user (such as SCEndUser) using Creating an IAM User in Your AWS Account instructions. The user needs programmatic and AWS Management Console access to follow the ServiceNow Connector installation instructions.

create a user

Attach the assume policy (StsAssume-SC) to your end user (SCEndUser). Choose Attach existing policies directly and select StsAssume-SC.

attach assume policy to user

e. Review and Create User.

f. Note the Access and Secret Access information. Download the csv file that contains the user credential information.

III. Create SCConnectLaunch role

The following section details the steps to create the SCConnectLaunch role. This role is used to place baseline AWS service permissions into the Service Catalog launch constraints. Choose Launch Constraints for more information.

a. Create the AWSCloudFormationFullAccess Policy.

Choose create policy and then paste the following in the JSON editor:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
            "cloudformation:DescribeStackResource",
            "cloudformation:DescribeStackResources",
            "cloudformation:GetTemplate",
            "cloudformation:List*",
            "cloudformation:DescribeStackEvents",
            "cloudformation:DescribeStacks",
            "cloudformation:CreateStack",
            "cloudformation:DeleteStack",
            "cloudformation:DescribeStackEvents",
            "cloudformation:DescribeStacks",
            "cloudformation:GetTemplateSummary",
            "cloudformation:SetStackPolicy",
            "cloudformation:ValidateTemplate",
            "cloudformation:UpdateStack",
            "s3:GetObject"
            ],
            "Resource": "*"
        }
    ]
}

Create the AWSCloudFormationFullAccess Policy

b. Create the SCConnectLaunch role. Assign the trust relationship to AWS Service Catalog. Attach the relevant policies to the SCConnectLaunch role. Attach the following baseline IAM policies:

  • AmazonEC2FullAccess (AWS managed policy)
  • AmazonS3FullAccess (AWS managed policy)
  • AWSCloudFormationFullAccess (custom managed policy)

The SCConnectLaunch role step is completed when you have the baseline policies as shown in the following screenshot:

SCConnectLaunch role step completed

SCConnectLaunch complete 2

Appendix 2: Configure ServiceNow

This section provides instructions on how to configure the ServiceNow instance for the AWS Service Catalog Connector for ServiceNow.

Now that you completed the AWS Identity and Access Management (IAM) and AWS Service Catalog configurations, the next component area to set up is ServiceNow. High-level installation tasks within ServiceNow include:

  • Upload and Commit Connector for ServiceNow “Update Set”
  • Configure ServiceNow Platform System Admin Components
  • Configure Connector for ServiceNow Scoped App – AWS Service Catalog
    • Accounts (Based on two AWS users/account in phase I)
    • Sync via Scheduled Jobs (AWS and ServiceNow)
    • Identities (link the AWS end user to a ServiceNow role permission)
    • Associate ServiceNow role to ServiceNow end user/group

I. Installing Connector for ServiceNow Scoped Application

The AWS Service Catalog Connector for ServiceNow is released as a conventional ServiceNow scoped application via an ServiceNow Update Set. ServiceNow update sets are code changes to the out-of-the-box platform and enable developers to move code across ServiceNow instance environments. The Connector for ServiceNow update set is available to download in the ServiceNow store. For users installing the update set on a ServiceNow Personal Developer Instance (PDI), please download the connector from here.

The update set may be applied to a Helsinki, Istanbul, Jakarta or Kingston platform release of ServiceNow.

a. Obtain ServiceNow instance
You need a ServiceNow instance to install the connector update set. If you need a ServiceNow instance do the following:

  1. Choose Obtain ServiceNow PDI for more instructions within the ServiceNow Developer program.
  2. Create ServiceNow developer program credentials. Choose request instance and select the ServiceNow release as the following shows. select ServiceNow release
  3. Capture your instance details including URL, administrative ID, and temporary password credentials.
  4. Log into your ServiceNow instance. You will see the ServiceNow standard user interface view as the following shows: ServiceNow standard user interface

b. Install the Update Set

  1. Log in to the instance as the system administrator (user with the ServiceNow admin role associated).
  2. In the navigator panel type “Update Sets” and select Retrieved Update Sets from the results.
  3. Select Import Update Set from XML on the page and upload the release XML file. import update set from xml
  4. Select the AWS Service Catalog Connector for ServiceNow update set.
  5. Choose Preview Update Set, which will make ServiceNow validate the connector update set.
  6. Choose Update and the ServiceNow form will update to the following view: update
  7. Choose Commit Update Set to apply the update set and create the application. The Update Set Commit procedure should complete 100%.

II. Configure ServiceNow Platform System Admin Components

To enable the AWS Service Catalog Connector for ServiceNow scoped application named AWS Service Catalog, the system admin will need to configure specific platform tables, forms, and views.

a. Enable permissions on ServiceNow Platform tables

  1. Enter “Tables” in the Navigator and choose System Definition, then choose Tables.
  2. In the list of tables search for a table with Label “User Criteria” (or name “user_criteria”). The list of tables will be displayed, with the User Criteria table at the top. Select it by choosing its label, to view the form defining the table.
  3. Choose the Application Access tab on the form and select the Can Create and Can delete check boxes on the form. Choose the Update button. Note: You might need to choose the link at the top to edit the record. application access choose link to edit record
  4. Repeat table steps two and three used on the previous User_Critera table for the “Catalog Variable Set” table (type io_set_item in the “Go to Name Search” field). Note: You might see two tables in the search results. Choose the io_set_item table.

io_set_item

b. Set up application administrator privileges
The AWS Service Catalog scoped app comes with two ServiceNow roles that enable access to configure the application, so that system admins can grant one or more users privileges to administer the application without having to open up full sysadmin access to them. The following table explains the two roles:

roles table
These roles can be assigned either to individual users or both to one administrator user. As the sysadmin user:

  1. Type “Users” in the navigator and select System Security – Users.
  2. Select a user to grant one or both previous roles (such as admin) to. You can also Create a User.
  3. Choose Edit on the Roles tab of the form.
  4. Filter the Collection of roles by the prefix “x_”.
  5. Choose from x_126749_aws_sc_account_admin and/or x_126749_aws_sc_portfolio_manager and add them to the user.
  6. Choose Save.

c. Add AWS Service Catalog to the ServiceNow Service Catalog categories

  1. Navigate to Self Service | Service Catalog and select the Add content icon (top right): add content
  2. Select the AWS Service Catalog Product entry. Add it to your catalog home page by choosing the first Add Here link on the second row of the selection panel at the bottom of the page. add here

d. Add a Change Request Type
You need to add a new change request type called AWS Product Termination for the scoped application to trigger an automated change request in Change Management.

  1. Open an existing change request.
  2. Right-click on Type and select Show Choice List. Note: Some Mac users may experience trouble accessing Choice List  without a mouse device

 show choice list

  1. Choose New and fill in the following fields.
    1. Table – Change Request
    2. Label – AWS Product Termination
    3. Value – AwsProductTermination
    4. Sequence – pick the next unused value
  2. Submit the form.

submit form

III. Configuring AWS Service Catalog Connector Scoped Application – AWS Service Catalog

Having installed and configured the AWS Service Catalog Connector for ServiceNow in the previous lab instructions, you need to configure the AWS Service Catalog scoped application and applicable roles:

  1. Create a role called “order_aws_sc_products”. This role is granted to any users with permission to order AWS Service Catalog products: create role
  2. Grant roles to the following users:
    1. System Administrator (admin): For simplicity in this work example, user admin is designated as the administrator of the AWS Service Catalog scoped application. He is granted (Roles->Edit) both of the administrative permissions from the adapter, x_126749_aws_sc_portfolio_manager and x_126749_aws_sc_account_admin (rather than assigning these to separate users). sysadmin role
    2. Abel Tuter: The user abel.tuter is chosen as an illustrative end user. Abel requires the new role order_aws_sc_products to order products from AWS.

abel tuter

IV. Configure Accounts

Log in as the System Administrator. In the AWS Service Catalog scoped app Accounts menu, create two accounts, one for sync and one for provisioning. Note, the names are chosen for convenience to make it easy to see which IAM user they correspond to (these are the users created in the AWS setup).

The snow-stsuser-account account has no Regions configured. The snow-sync-account user has one region configured, matching the Region where the AWS Service Catalog is defined (double click the text “Insert a new row” to add):

You will need to use the keys and secret keys from the users you created in AWS.

ServiceNow AWS Correlations chart

configure accounts

V. Scheduled Jobs (Initial Manual Sync)

During the initial setup, manually execute the sync instead of waiting for the Scheduled Jobs to occur. To sync the accounts manually, do the following:

  1. Log in as System Administrator.
  2. Find Scheduled Jobs in the filter navigator panel. find scheduled jobs
  3. Search for job Sync all Accounts, select it, and choose Execute Now.

job sync all accounts

Note: If you do not see Execute Now in the upper left-hand corner, then click on Configure Job Definition. Execute Now will be visible.

VI. Grant Access to Portfolios

Data will be visible in the AWS Service Catalog scoped app menus after the adapter’s scheduled synchronization job has run. Go to the AWS Service Catalog scoped app and click on Identities menu, select the SnowEndUser role and assign it to Account snow-stsuser-account (double click the cell in the Account column, or click the SCEndUser user name and edit the form presented):

assign snowenduser role

The next step is to click on Role Grants menu in the AWS Service Catalog scoped app. Choose New and enter the Role of ‘order_aws_sc_products‘ and the SnowEndUser identity. The Role Grants table will now look like:

role grants table

Given the set up above, Abel Tuter can now order products from AWS Service Catalog in ServiceNow.