Demo only — This is a proof-of-concept. Do not deploy to production without vetting security guardrails and understanding the unsupported JAR patch.
TL;DR
- Goal: Run the ServiceNow MID Server on AWS EKS Auto Mode without static AWS keys or self‑managed EC2 instances.
- How: Patch
mid.jarso the MID Server can use EKS Pod Identity first, with instance profiles as a fallback. - What you get: Pod‑scoped, auto‑rotated AWS credentials, a three‑tier IAM role model, and a CDK app that deploys everything end‑to‑end.
- Who this is for: ServiceNow / cloud platform engineers who own both AWS and ServiceNow and need a repeatable, supportable story for cloud discovery.
The Problem
ServiceNow MID Server discovers AWS resources by calling AWS APIs. It needs AWS credentials. The official MID Server only supports two methods: static IAM user keys and EC2 Instance Profile (IMDSv2). Neither works on EKS Auto Mode — there are no user-managed nodes for Instance Profiles, and static keys are a security anti-pattern.
EKS Pod Identity solves this by injecting temporary, pod-scoped credentials. But the MID Server’s credential resolver doesn’t know about Pod Identity. So we patch mid.jar to check Pod Identity first, with Instance Profile as fallback.
AWS Credential Models for ServiceNow Cloud Discovery
| # | Credential Model | Runs On | How It Works | ServiceNow Support | Trade-offs |
|---|---|---|---|---|---|
| 1 | AWS IAM User (Static Keys) | Anywhere | Create an IAM user with programmatic access. Store Access Key ID and Secret Access Key in ServiceNow. | Fully supported | ⚠ Security risk: Long-lived credentials. Requires manual key rotation. Keys in ServiceNow add attack surface. |
| 2 | AWS EC2 Instance Profile | EC2 instance | Attach an IAM role to the EC2 instance. ServiceNow uses credential-less discovery via IMDSv2. No keys stored. | Fully supported | ⚙ Management overhead: You own the EC2 lifecycle — OS patching, AMI hardening, capacity planning. |
| 3 | AWS IRSA | EKS standard mode | Associate an IAM role with a K8s ServiceAccount via OIDC. Requires IMDS hop limit set to 2 on node group. |
Supported (with config) | ℹ Node management: EKS standard mode requires managing node groups, AMIs, OS patching, kubelet upgrades. |
| 4 | AWS EKS Pod Identity Most Secure Patch Required | EKS Auto Mode | Associate an IAM role with a K8s ServiceAccount via Pod Identity. EKS injects credentials into the pod. Requires patching mid.jar. |
Not supported | ✓ Most secure: Pod-scoped, auto-rotated, no static secrets. ⚙ Requires unsupported JAR patch — re-patch on each MID Server upgrade. |
Why Pod Identity on EKS Auto Mode?
- EKS Auto Mode has no user-managed nodes, so EC2 Instance Profiles don’t apply
- Pod Identity provides pod-scoped, temporary credentials with automatic rotation
- No static AWS keys to store, rotate, or leak
- The trade-off is the unsupported JAR patch — weigh this against your security and support requirements
Architecture
The three-tier IAM role architecture mirrors ServiceNow’s Model 3 (Accessor → Management → Member) discovery pattern. In production, these roles would be in separate AWS accounts. For this demo, all three live in the same account.
What Gets Deployed
The CDK app deploys five stacks:
| Stack | Resources |
|---|---|
EksMidServerEcrStack |
Private ECR repository with image scanning and lifecycle rules |
EksMidServerVpcStack |
VPC with 2 AZs, private subnets, NAT gateway |
EksMidServerClusterStack |
EKS Auto Mode cluster with control plane logging |
EksMidServerRolesStack |
Three-tier IAM roles: Pod Identity → Management → Discovery |
EksMidServerAppStack |
Namespace, ServiceAccount, Pod Identity association, ConfigMap, Secret, StatefulSet |
Guide
The full step-by-step guide is split into two parts:
- MID Server JAR Patching — Decompile
mid.jar, add Pod Identity support, recompile, build Docker image, push to ECR - Deployment and Discovery Guide — Deploy CDK stacks, verify the MID Server, configure credential-less cloud discovery in ServiceNow
Source Code
The complete CDK app, example Dockerfiles, and documentation are available in the GitHub repository.
This is a demo/POC implementation. The mid.jar patching described here is unsupported by ServiceNow. See the repository README for full disclaimers.