AWS Service Catalog
Administrator Guide

Configure ServiceNow

After completing the IAM and AWS Service Catalog configurations, the next configuration area to set up is ServiceNow. Installation tasks within ServiceNow include:

  • Clear the ServiceNow platform cache.

  • Clear the web browser cache.

  • Install the ServiceNow Connector scoped application, and upload and commit the ServiceNow Connector Update Set.

  • Configure ServiceNow platform system admin components.

  • Configure AWS Service Catalog Connector scoped application, including accounts, scheduled jobs sync, and permissions.

Clear the ServiceNow Platform Cache

Before installing the AWS Service Catalog scoped app, we recommend that you clear the ServiceNow platform cache by typing in the following URL: https://[InsertServiceNowInstanceNameHere]/cache.do

Note

Ensure that you install the update set in a non-production/sandbox environment. Consult a ServiceNow system administrator if you need approval to clear the ServiceNow platform cache.

Clear the Web Browser Cache

Clear the web browser cache to clear previous rendered product forms.

Installing ServiceNow Connector Scoped Application

The AWS Service Catalog Connector for ServiceNow is released as a conventional ServiceNow scoped application via a ServiceNow Update Set. ServiceNow update sets are code changes to the out-of-the-box platform and enable developers to move code across ServiceNow instance environments. The Connector for ServiceNow update set is available to download in the ServiceNow store. For users installing the update set on a ServiceNow Personal Developer Instance (PDI), download the code from Connector for ServiceNow version 2.0.2 update set.

The Connector for ServiceNow version 2.0.2 update set may be applied to a “Kingston,” “London,” or "Madrid" platform release of ServiceNow.

If you do not already have a ServiceNow instance, begin with the first step below. If you already have a ServiceNow instance, proceed to To download AWS Service Catalog Connector for ServiceNow.

To obtain a ServiceNow instance

  1. Go to Obtaining a Personal Developer Instance.

  2. Create ServiceNow developer program credentials.

  3. Follow the instructions for requesting a ServiceNow instance.

  4. Capture your instance details, including URL, administrative ID, and temporary password credentials.

To download AWS Service Catalog Connector for ServiceNow

  1. From your ServiceNow dashboard, type plugins into the navigation panel in the upper left.

  2. When the System Plugins page populates, next to the dropdown that says Name, search for user criteria.

  3. Choose User Criteria Scoped API and then choose Activate.

  4. From the ServiceNow Store, download the AWS Service Catalog Connector. When prompted, log in with your administrator credentials.

To install the update set

  1. From your ServiceNow dashboard, type update sets into the navigation panel in the upper left.

  2. Choose Retrieved Update Sets from the results.

  3. Select Import Update Set from XML and upload the release XML file.

  4. Select the AWS Service Catalog Connector for ServiceNow update set.

  5. Choose Preview Update Set, which makes ServiceNow validate the connector update set.

  6. Choose Update.

  7. Choose Commit Update Set to apply the update set and create the application. This procedure should complete 100%.

Configuring ServiceNow Platform System Admin Components

To enable the AWS Service Catalog Connector for ServiceNow scoped application named AWS Service Catalog, the system admin must configure specific platform tables, forms, and views.

Note

If you are upgrading from an earlier version, the Enable permissions on ServiceNow Platform tables (User Criteria and Catalog Variable Set) are no longer needed for the Connector for ServiceNow.

Enable permissions on ServiceNow Platform tables (Category and Catalog Item Category)

For AWS products to display under AWS portfolios as sub-categories in the ServiceNow Service Catalog, you need to modify the Application Access form for Category and Catalog Item Category tables.

  1. Enter "Tables" in the Navigator and choose System Definition, then choose Tables.

  2. In the list of tables, search for a table with label "Category" (or with the name "sc_category"). The list of tables will be displayed. Choose Category to view the form defining the table..

  3. Choose the "Application Access" tab on the form and choose the "Can Create", “Can Update, and "Can delete" checkboxes on the form. Choose the "Update" button.

  4. Repeat the steps used on the Category table above for the "Catalog Item Category" table. Type sc_cat_item_category in the “Go to Name Search” field.

ServiceNow Permissions for Administrators of the Connector Scoped App.

The AWS Service Catalog scoped app comes with two ServiceNow roles that enable access to configure the application. This enables system admins to grant one or more users privileges to administer the application without having to open up full sysadmin access to them. These roles can be assigned either to individual users or to one administrator user.

To set up application administrator privileges

  1. Type Users in the navigator and select System Security – Users.

  2. Select a user to grant one or both previous roles (such as admin) to. You can also Create a User.

  3. Choose Edit on the Roles tab of the form.

  4. Filter the collection of roles by the prefix “x_”.

  5. Choose one or both of the following and add them to the user: x_126749_aws_sc_account_admin, x_126749_aws_sc_portfolio_manager

  6. Choose Save.

To add AWS Service Catalog to ServiceNow Service Catalog categories

  1. Navigate to Self Service | Service Catalog and select the Add content icon in the upper right.

  2. Select the AWS Service Catalog Product entry. Add it to your catalog home page by choosing the first Add Here link on the second row of the selection panel at the bottom of the page.

To add a change request type

  1. If you are upgrading from a previous version of the AWS Service Catalog scoped app, you must remove the AWS Product Termination change request type before creating a new change request type.

  2. You must add a new change request type called AWS Provisioned Product Event for the scoped application to trigger an automated change request in Change Management. For instructions, see Add a new change request type.

  3. Open an existing change request.

  4. Open the context (right-click) menu for Type and then choose Show Choice List.

  5. Choose New and fill in the following fields:

    • Table: Change Request

    • Label: AWS Provisioned Product Event

    • Value: AWSProvisionedProductEvent

    • Sequence: pick the next unused value

  6. Submit the form.

Configuring AWS Service Catalog Connector Scoped Application

Having installed and configured the AWS Service Catalog Connector for ServiceNow in the previous procedure, you must configure the AWS Service Catalog scoped application and applicable roles.

To configure the AWS Service Catalog scoped application and applicable roles

  1. On your ServiceNow dashboard, create a role called order_aws_sc_products. This role is granted to any users with permission to order AWS Service Catalog products. For instructions, see Create a role.

  2. Grant roles to the following users:

    • System Administrator (admin): For simplicity in this example, user admin is designated as the administrator of the AWS Service Catalog scoped application. Grant this user both of the administrative permissions from the adapter, x_126749_aws_sc_portfolio_manager and x_126749_aws_sc_account_admin. In a real scenario, these roles would likely be granted to two different users.

    • Abel Tuter: The user abel.tuter is chosen as an illustrative end user. Grant Abel the new role order_aws_sc_products. This allows him to order products from AWS.

Configuring Accounts

  1. Log in as the system administrator.

  2. In the AWS Service Catalog scoped app Accounts menu, create two accounts, one for sync and one for provisioning: snow-stsuser-account and snow-sync-account. Note that the names here are chosen for convenience to make it easy to see which IAM user they correspond to (these are the users created in the AWS setup).

  3. The snow-stsuser-account account has no regions configured. The snow-sync-account user has one region configured, matching the region where AWS Service Catalog is defined. You validate this in the next section.

  4. Note that you need to use the keys and secret keys from the users you created in AWS.

Validating Connectivity to AWS Regions

You can now validate connectivity to AWS regions between the ServiceNow snow-sync-account and the AWS IAM SyncUser.

To validate connectivity to AWS regions

  1. In the AWS Service Catalog scoped app, choose Accounts.

  2. Select snow-sync-account and choose Validate Regions.

  3. A successful connection result in the message, “Successfully performed AWS Service Catalog SearchProductsAsAdmin action in each referenced Region.”

If the AWS IAM access key or secret access key are incorrect, you will receive the message similar to the following: Error performing AWS Service Catalog SearchProductsAsAdmin action in one or more Regions: us-east-1: The security token included in the request is invalid. Check that the access key and secret access key are correct.

Manually Syncing Scheduled Jobs

During the initial setup, manually execute the sync instead of waiting for Scheduled Jobs to run.

To sync the accounts manually

  1. Log in as system administrator.

  2. Find Scheduled Jobs in the navigator panel.

  3. Search for job Sync all Accounts, select it, and choose Execute Now.

    Note

    If you do not see Execute Now in the upper left corner, choose Configure Job Definition. Execute Now will be visible.

Granting Access to Portfolios

Data is visible in the AWS Service Catalog scoped app menus after the adapter’s scheduled synchronization job has run.

To grant access to AWS Service Catalog products in ServiceNow, you must establish a link between the AWS SnowEndUser role discovered from the Sync All Scheduled Job and snow-stsuser-account entry created in the ServiceNow AWS Service Catalog scoped app.

To grant access to AWS Service Catalog products in ServiceNow

  1. In the AWS Service Catalog scoped app, choose the Identities module.

  2. Select the ARN address for the AWS SnowEndUser role and assign it to account snow-stsuser-account. You can double-click the cell in the account column, or click the SCEndUser user name and edit the form presented.

    Role Grants is available within the Identities modules to conveniently associate the ServiceNow role order_aws_sc_products to the AWS SnowEndUser role identity.

  3. Choose New and enter the Role of order_aws_sc_products and the SnowEndUser identity.

  4. Choose Submit.

The Identities module now has a view of the associated role. You can test the AWS identity to determine if the ServiceNow end user with the order_aws_sc_products role can order an AWS Service Catalog product.

To test access to portfolios

  1. Choose the Test Authorization button shown in the AWS identity module.

  2. If the test is successful, the message Successfully performed SearchProducts action as arn:aws:iam::AWS Account:role/SnowEndUser is returned.

  3. An unsuccessful test returns the message Error using account…

  4. Given the preceding setup, Abel Tuter can now order products from AWS Service Catalog in ServiceNow.