Integrating Salesforce with AWS Using AWS IAM Roles Anywhere and Private CA

Here we will setup a secure integration between Salesforce and AWS using AWS IAM Roles Anywhere with a Private Certificate Authority (CA). By utilizing certificate-based authentication instead of access keys, AWS IAM Roles Anywhere enables on-premises servers or services to assume an IAM Role permission.

Step 1: Create a self-signed certificate in Salesforce:

• In Salesforce, go to Setup and search for Certificate & Key Management. 
• Choose Create Self-Signed Certificate. 
• Enter a label and a unique name for the certificate, then click Save. 
• Download the generated certificate as “cert.pem” and store it securely. 

Step 2: Set up a Private CA in AWS Private Certificate Authority:

• Open the AWS Certificate Manager (ACM) Private CA console. 
• Choose Create CA, then Set Mode to “General-Purpose” & Choose CA Type as “Root”.  

• Fill out all required details, then select RSA 2048 for the key algorithm.

• Acknowledge the settings and click Create CA.

• Once created, select “Install CA certificate” under Actions to activate the CA.

• Verify the CA status changes from “Pending Certificate” to “Active”. 

Step 3: Issue and Retrieve an ACM Certificate Using AWS CLI

• Open your terminal and ensure the AWS CLI is installed.
• Sign a certificate using your Private Root CA by running:

aws acm-pca issue-certificate \ 
    --certificate-authority-arn "<PRIVATE_ROOT_CA_ARN>" \ 
    --csr fileb://crt.pem \ 
    --signing-algorithm "SHA256WITHRSA" \ 
    --validity Value=365,Type="DAYS" \ 
    --region "us-east-1" 

• Copy the “CertificateArn” from the output, then retrieve the signed certificate:

aws acm-pca get-certificate \ 
    --certificate-authority-arn "<PRIVATE_ROOT_CA_ARN>" \ 
    --certificate-arn "<CERTIFICATE_ARN>" 

• Save the certificate content in a .crt file, formatted with each line containing 64 characters.

NOTE: Create a file on editor and copy the certificate between “BEGIN CERTIFICATE” and “END CERTIFICATE”. Include these lines in the certificate and extension of .crt for the file.

While saving the file, make sure you delete the “\n” and press enter for a new line. Each row of the certificate has to be 64 characters long for it to be recognised as a certificate.

Step 4. Upload the Certificate to Salesforce

• In Salesforce, upload the .crt file created in Step 3 to activate the certificate.

Step 5: Create a Trust Anchor in AWS IAM Roles Anywhere

• Open the IAM Roles Anywhere in the AWS console and select Create Trust Anchor.

• Provide a name, select the Private CA from Step 2, and click Create Trust Anchor. 

Step 6: Create an IAM Role for Salesforce Permissions

• In AWS IAM, create a new role with the following trust policy:

Trust Policy:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Principal": {  
"Service": "rolesanywhere.amazonaws.com"  
 }, 
            "Action": [ 
                "sts:AssumeRole", 
                "sts:TagSession", 
                "sts:SetSourceIdentity" 
            ] 
        } 
    ] 
} 

• Attach the AmazonConnect_FullAccess policy or another policy granting the necessary permissions.  

Step 7: Create a Roles Anywhere Profile in AWS IAM

• In IAM Roles Anywhere, select Create Profile.

• Enter a profile name and attach the role created in Step 6 & Click Create Profile.

Step 8: Configure External Named Credentials in Salesforce

In this step, configure a named credential in Salesforce to use the IAM role that you created in Step 6.

The named credential is used for authenticating and managing API callouts to external services within Salesforce, to a specific endpoint URL. Initially, point it to AWS Security Token Service (AWS STS), a web service used to request temporary credentials. Then, you point it to the Amazon Connect service URL. Salesforce named credentials support two variants of the AWS Signature Version 4 authentication protocol: IAM User (identified by access key) and Roles Anywhere.

For best practices, uses IAM Roles Anywhere role, but we must first configure an external credential to provide the required authentication configuration via IAM Roles Anywhere.

• In Salesforce, go to “Setup > Named Credentials > External Credentials” and click New.
• Complete the following fields:
  • Label: "AWS IAM Anywhere Credential".
  • Name: "AWS_IAM_Anywhere_Credential".
  • Authentication Protocol: "AWS Signature V4".
  • Service: Initially "sts" (you'll change it to "connect" later).
  • Region: "us-east-1".
  • AWS Account ID: (Optional)
  • Obtain Temporary IAM Credentials via STS: Choose "Roles Anywhere".
  • Trust Anchor ARN and Profile ARN: Use the ARN values from earlier.
  • Signing Certificate: A certificate from AWS (via a CA) that’s uploaded to Salesforce.
  • STS Duration: 3600.
• Create a “New Principal” for external credential:
  • Name: e.g., "connect_principal". NOTE: Character requirements include [a-zA-Z0-9_+=,.@-]*.
  • Enter the ARN of the IAM role created in Step 6 and save.
• Create a “Named Credential” in Salesforce with these details:
  • Label: "Connect API Connection".
  • Name: "Connect_API_Connection".
  • URL: "https://sts.us-east-1.amazonaws.com" (later changed to the Amazon Connect URL).
  • Enable Generate Authorization Header.

Step 9: Validate the Integration with IAM Roles Anywhere

• In Salesforce, Create or edit a permission set for the principal to
  • configure permission sets for access:
  • Go to Permission Sets > New and provide a label.
  • Select External Credential Principal Access and move the principal to the enabled field.
  • Assign the permission set to the relevant Salesforce user.
• Test the integration:
  • In Developer Console, open Execute Anonymous Window and run:

HttpRequest req = new HttpRequest(); 
//APN_API_Connection is the name of the named credential 
req.setEndpoint('callout:Connect_API_Connection/?Action=GetCallerIdentity&Version=2011-06-15'); 
req.setMethod('GET'); 
Http http = new Http(); 
HTTPResponse res = http.send(req); 
System.debug(res.getBody()); 

• Open the log file to see the status. If successful, the log shows a 200 status code to indicate a successful Amazon STS API call from AWS.

Step 10: Update the Named Credential URL

• In the Named Credentials configuration, update:
  • Service: Change "sts" to "connect".
  • URL: Use https://connect.us-east-1.amazonaws.com instead of the sts URL.
• Test the integration:
  • In Developer Console, open Execute Anonymous Window and run:

HttpRequest req = new HttpRequest(); 
//APN_API_Connection is the name of the named credential 
req.setEndpoint('callout:Connect_API_Connection/?Action=GetCallerIdentity&Version=2011-06-15'); 
req.setMethod('GET'); 
Http http = new Http(); 
HTTPResponse res = http.send(req); 
System.debug(res.getBody()); 

Open the log file to see the status. If successful, the log shows a 200 status code along with attribute then it indicate a successful Amazon connect API call from AWS.

Similar to Amazon Connect, you can configure it with any service.