ServiceNow Credential Resolver
Overview
The Akeyless Credentials Resolver is Akeyless's official ServiceNow application. It installs a MID Server external credential resolver that retrieves secrets from Akeyless at runtime and maps them to ServiceNow Discovery credential fields, so no static passwords are stored in ServiceNow. The resolver class is com.snc.discovery.CredentialResolver.
App listing: https://store.servicenow.com/store/app/3bad4acf97f98f10cbe2f5411153af6a
If you'd rather build the resolver JAR from source (for example, to customize it or contribute), see the source repository instead: https://github.com/akeylesslabs/akeyless-servicenow-credential-resolver. That path isn't covered here.
Prerequisites
- A ServiceNow instance (Quebec+ recommended) with Discovery and External Credentials enabled.
- A MID Server installed and connected to your instance.
- Network access from the MID Server host to the Akeyless Gateway (default
https://api.akeyless.io, or your private Gateway URL). - Access to the ServiceNow Store from your instance, and permission to install/activate applications.
- An Akeyless Access ID and one of the supported authentication methods below.
Supported Akeyless Authentication Methods
access_keyaws_iamazure_adgcpuniversal_identitycert
For cloud-based methods, the resolver detects a CloudID from the cloud environment the MID Server is running in (for example, an EC2 instance profile, an Azure VM managed identity, or GCP default credentials). For Universal Identity, using a UID token file is the preferred setup because it supports automatic token rotation without touching MID configuration (see Automatic UID Rotation below).
Install the Akeyless Credentials Resolver App
- From your ServiceNow instance, open the ServiceNow Store app (or navigate to it directly at the app listing) and install Akeyless Credentials Resolver.
- Once installed, activate the application on your instance if it isn't activated automatically.
- The app deploys the resolver JAR as a MID Server JAR file record. Confirm it under MID Server → JAR files.
- Make sure your MID Server(s) pick up the JAR:
- The MID will sync automatically and place the JAR in its agent lib cache.
- If it isn't picked up, restart the MID service to force a sync (see Restarting the MID Service below).
Once the MID Server has the resolver JAR loaded, move on to configuring the Akeyless connection properties.
Configure MID Properties (Akeyless Parameters)
With the MID Server set up, configure the following properties on your instance (System Properties or MID Properties). Property names are case-sensitive.
ext.cred.akeyless.gw_url(string): Akeyless Gateway. Default:https://api.akeyless.ioext.cred.akeyless.access_type(string): One ofaccess_key,aws_iam,azure_ad,gcp,universal_identity/uid,cert/certificate. Default:access_keyext.cred.akeyless.access_id(string): Your Akeyless Access ID (required)ext.cred.akeyless.access_key(string): Your Akeyless Access Key (required foraccess_keyonly)ext.cred.akeyless.uid_token_file(string): File path on the MID host containing the UID token, foruniversal_identity/uid. Preferred, the first non-empty line is read on each use, so an external rotation job can refresh the file's contents without a MID restart.ext.cred.akeyless.uid_token(string): Inline UID token, foruniversal_identity/uid. Used as a fallback only whenuid_token_fileis unset or unreadable.ext.cred.akeyless.cert_data(string): Inline certificate PEM content, forcertext.cred.akeyless.key_data(string): Inline private key PEM content, forcertext.cred.akeyless.cert_file_name(string): Path to the certificate PEM file on the MID host, forcertext.cred.akeyless.key_file_name(string): Path to the private key PEM file on the MID host, forcertext.cred.akeyless.ignore_cache(booleantrue/false): For rotated secrets only, passesignore-cachewhen fetching values. Default:false
Optional field mapping overrides for JSON secrets (see Mapping below):
ext.cred.akeyless.map.username(default:username)ext.cred.akeyless.map.password(default:password)ext.cred.akeyless.map.private_key(default:private_key)ext.cred.akeyless.map.passphrase(default:passphrase)
Environment and System Property Alternatives
The resolver also reads the following system properties or environment variables:
AKEYLESS_GW_URLAKEYLESS_ACCESS_TYPEAKEYLESS_ACCESS_ID(required)AKEYLESS_ACCESS_KEY(when usingaccess_key)AKEYLESS_UID_TOKEN_FILE(preferred file path, when usinguniversal_identity/uid)AKEYLESS_UID_TOKEN(inline fallback, when usinguniversal_identity/uid)AKEYLESS_CERT_DATAandAKEYLESS_KEY_DATA(inline certificate authentication)AKEYLESS_CERT_FILE_NAMEandAKEYLESS_KEY_FILE_NAME(file-based certificate authentication)
As a fallback for any ext.cred.* property, an environment variable with the uppercase name and dots replaced by underscores is also read (for example, EXT_CRED_AKEYLESS_GW_URL). MID properties take precedence over environment/system variables.
Configure MID config.xml (Secure Local Parameters)
config.xml (Secure Local Parameters)Add sensitive Akeyless credentials to the MID's config.xml on each MID host:
- Linux:
/opt/agent/config.xml - Windows:
C:\ServiceNow\agent\config.xml
Insert your parameters inside the <parameters> block:
<parameters>
...
<!-- Akeyless secure credentials -->
<parameter name="ext.cred.akeyless.gw_url" value="https://api.akeyless.io" />
<parameter name="ext.cred.akeyless.access_type" value="access_key" />
<parameter name="ext.cred.akeyless.access_id" value="AKEYLESS_ACCESS_ID" />
<parameter name="ext.cred.akeyless.access_key" value="AKEYLESS_SECRET_KEY" secure="true" />
<!-- Universal Identity example (file-based, preferred - supports automatic rotation) -->
<!-- <parameter name="ext.cred.akeyless.access_type" value="uid" /> -->
<!-- <parameter name="ext.cred.akeyless.uid_token_file" value="/opt/agent/creds/uid_token.txt" /> -->
<!-- Universal Identity example (inline fallback) -->
<!-- <parameter name="ext.cred.akeyless.uid_token" value="UID_TOKEN" secure="true" /> -->
<!-- Certificate authentication with inline material -->
<!-- <parameter name="ext.cred.akeyless.access_type" value="certificate" /> -->
<!-- <parameter name="ext.cred.akeyless.cert_data" value="-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----" secure="true" /> -->
<!-- <parameter name="ext.cred.akeyless.key_data" value="<PRIVATE_KEY_PEM_CONTENT>" secure="true" /> -->
<!-- Certificate authentication with file-based material -->
<!-- <parameter name="ext.cred.akeyless.cert_file_name" value="/opt/agent/certs/client.crt" /> -->
<!-- <parameter name="ext.cred.akeyless.key_file_name" value="/opt/agent/certs/client.key" secure="true" /> -->
<!-- Optional JSON mapping overrides -->
<parameter name="ext.cred.akeyless.map.username" value="username" />
<parameter name="ext.cred.akeyless.map.password" value="password" />
<parameter name="ext.cred.akeyless.map.private_key" value="private_key" />
<parameter name="ext.cred.akeyless.map.passphrase" value="passphrase" />
</parameters>Restarting the MID Service
sudo service mid restartOr on Windows (from an elevated Command Prompt):
net stop mid
net start midAutomatic UID Rotation
When using universal_identity/uid, prefer ext.cred.akeyless.uid_token_file (or AKEYLESS_UID_TOKEN_FILE) over the inline uid_token property:
- The resolver reads the first non-empty line of the file on each use, so a fresh token only needs to be written to that path — no MID property update or restart is required.
- Point the property at a file that an external rotation job keeps up to date (for example, an Akeyless Universal Identity auto-rotation job/scheduled task that periodically calls token rotation and writes the refreshed token to disk).
- The inline
ext.cred.akeyless.uid_token/AKEYLESS_UID_TOKENvalue is only used as a fallback if the file is unset or unreadable, so keep it out of your configuration once the file-based setup is working. - The resolver caches the Akeyless session token in memory for the life of the MID Server's JVM and only re-authenticates when Akeyless returns an authentication failure (HTTP 401), at which point it clears the cache, re-reads the current UID token, and retries once. There's no separate configurable TTL on the resolver side — token freshness comes from keeping the token file itself current.
Configure a Discovery Credential to Use This Resolver
- Navigate to Discovery → Credentials → New.
- Choose a credential Type (for example, Windows, SSH Password, SSH Private Key, VMware, JDBC, JMS, or SNMPv3).
- Select External credential store.
- Set the fully qualified class name (FQCN) to
com.snc.discovery.CredentialResolver. - Set the Credential ID to the Akeyless secret path (for example,
/prod/app/db). - Click Test credential, then select a MID Server and a target if required by the type.
What to Store in Akeyless and How It's Mapped
The resolver accepts either:
- A plain string secret, mapped as a password/token
- A JSON object, where fields are mapped to ServiceNow credential fields per the credential Type
Item Types (Static, Rotated, Dynamic)
- The resolver first calls
describe-itemto determineitem_type. - Based on
item_type, it then calls:STATIC_SECRET→get-secret-valueROTATED_SECRET→get-rotated-secret-value(also sendsignore-cachewhenext.cred.akeyless.ignore_cache=true)DYNAMIC_SECRET→get-dynamic-secret-value
- If ServiceNow provides an
ipargument for the credential test or run, the resolver passes it ashostwhen fetching rotated secrets.
Default mapping (can be overridden by way of ext.cred.akeyless.map.*):
- Username field:
username - Password field:
password - Private key field:
private_key - Passphrase field:
passphrase
Per-Type Mapping Summary
- Windows, Basic, SSH Password, VMware, JDBC, JMS: uses JSON fields
username,password(or your overridden names). - SSH Private Key: uses JSON fields
username,private_key,passphrase. The same mapping applies tosn_cfg_ansible,sn_disco_certmgmt_certificate_ca,cfg_chef_credentials,infoblox, andapi_key. - SNMPv3: uses JSON fields
username,auth_protocol,auth_key,privacy_protocol,privacy_key, mapped to ServiceNow fieldsusername,auth-protocol,auth-key,privacy-protocol,privacy-key. - Other unlisted types: the resolver attempts to map
usernameandpasswordwhen those fields are present in the secret JSON; if one or both are missing, only the available fields are mapped.
Examples
Basic / Windows / SSH Password (JSON in Akeyless):
{
"username": "alice",
"password": "secret"
}SSH Private Key:
{
"username": "ssh-user",
"private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
"passphrase": "optional"
}SNMPv3:
{
"username": "snmpu",
"auth_protocol": "SHA",
"auth_key": "authKeyHere",
"privacy_protocol": "AES",
"privacy_key": "privacyKeyHere"
}Custom field names by way of mapping overrides (example): set ext.cred.akeyless.map.username = user_name and ext.cred.akeyless.map.password = pwd. A JSON secret like:
{
"user_name": "alice",
"pwd": "secret"
}will then map to ServiceNow username = alice, password = secret.
CloudID Notes (aws_iam / azure_ad / gcp)
- When
ext.cred.akeyless.access_type(orAKEYLESS_ACCESS_TYPE) isaws_iam,azure_ad, orgcp, the resolver fetches a CloudID and sends it to Akeyless during authentication. - Ensure the MID Server host is running in the target cloud with the appropriate identity, or that the cloud SDK environment is present to retrieve a CloudID.
- Do not set
access_keywhen using CloudID-based methods.
Certificate Authentication Notes
- When
ext.cred.akeyless.access_typeiscertorcertificate, provide both the certificate and private key. - Certificate authentication supports either inline material with
ext.cred.akeyless.cert_dataandext.cred.akeyless.key_data, or file paths withext.cred.akeyless.cert_file_nameandext.cred.akeyless.key_file_name. - The resolver base64-encodes certificate and key material before sending it to Akeyless.
Troubleshooting
- HTTP 400 "Missing required parameter - timestamp" on
/auth: Usually indicates the wrong auth flow or missing parameters. Verifyaccess_typeis set correctly. For CloudID flows, do not set anaccess_key. Foraccess_keyflows, ensure bothaccess_idandaccess_keyare set. Foruid, setuid_token_file(preferred) oruid_token(fallback). Forcert, provide both certificate and key material, either inline or by file path. - HTTP 404 from
/v2/*endpoints: The resolver automatically falls back to the non-/v2endpoints. If both fail, verify the Gateway URL and network reachability. - "Secret value not found for name ...": Confirm the Credential ID (secret path) is correct and the Akeyless identity has permission to read it.
- Everything maps to a single password field (
pswd): This usually happens when the secret isn't strict JSON, because PEM or key content was pasted with literal line breaks inside quoted strings. Prefer\ninside the JSON string values. If PEM markers are still present, the resolver retries parsing with a lenient Jackson mode. - Logging: Resolver logs go through Commons Logging — check MID Server logs for entries containing "Akeyless resolver". The resolver also writes its own daily-rotated log files under the MID agent
logs/folder (for example,/opt/agent/logs/akeyless-resolver-YYYY-MM-DD.logon Linux, orC:\ServiceNow\agent\logs\akeyless-resolver-YYYY-MM-DD.logon Windows). These file logs contain the same safe diagnostic messages as the MID logs (arguments, secret path, item type, resolved field keys) — secret values and tokens are never written to the file.
Updated 3 days ago
