AWS non-default regions or datacenters with IAM management or member policy configurations<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #6e9db4; } a:visited { font-size: 12pt; color: #7057C7; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: block; max-width: 500px !important; width: auto; height: auto; } } Issue ServiceNow Cloud Discovery supports four methods of Amazon Web Services (AWS) discovery with regular credentials and Identity and Access Management (IAM) master or member policy with temporary credentials. Discovery can be successful using any of the following configurations. AWS Cloud DiscoveryCreating AssumeRole on AWS Console for AWS Management and Member DiscoveryAWS Organizations and Temporary CredentialsMember to Management discovery using accessor account Using AWS non-default regions and datacenters with direct credentials may be successful but can fail citing 401and 403 authentication or authorization errors. For example, the ap-east-1 datacenter fails with the following error even though the IAM policy and trusted relationship is working as expected for other datacenters or regions. com.amazonaws.services.ec2.model.AmazonEC2Exception: AWS was not able to validate the provided access credentials (Service: AmazonEC2; Status Code: 401; Error Code: AuthFailure; Request ID: a373ba4c-0143-48a8-8f38-dc281684faaf) AWS non-default regions or datacenters List of non-default regions or datacenters Africa (Cape Town) af-south-1Asia Pacific (Hong Kong) ap-east-1Asia Pacific (Jakarta) ap-southeast-3Europe (Milan) eu-south-1Middle East (Bahrain) me-south-1 Cause ServiceNow CAPI/Patterns Discovery accesses the global endpoint (sts.amazonaws.com) and expects it to be valid for all AWS regions. Resolution Before proceeding, ensure that the region you are attempting to discover is active in both the Accessor account and the Target account (the account where you want to run the discovery). In the Accessor account: Open the IAM console and go to Account settings.If needed, expand the Security Token Service (STS) section.In the first section, find the Global endpoint and change the value to All AWS Regions. By default, AWS Regions is enabled. Select Save changes to confirm the update.