Integrating Salesforce with AWS Using AWS IAM Roles Anywhere and Private CA

Source: Dev.to

Overview

Step‑by‑Step Instructions

1️⃣ Create a Self‑Signed Certificate in Salesforce

1. In Setup, search for Certificate & Key Management.
2. Click Create Self‑Signed Certificate.
3. Provide a Label and a unique Name, then Save.
4. Download the generated certificate as cert.pem and store it securely.

2️⃣ Set Up a Private Root CA in AWS ACM‑PCA

1. Open the AWS Certificate Manager (ACM) Private CA console.
2. Choose Create CA → Mode: General‑Purpose → CA Type: Root.
3. Fill in the required details and select RSA 2048 for the key algorithm.
4. Review the settings and click Create CA.

After creation – under Actions, select Install CA certificate to activate the CA.
Verify the CA status changes from Pending Certificate → Active.

3️⃣ Issue a Certificate Signed by the Private Root CA

# Issue a certificate (replace placeholders)
aws acm-pca issue-certificate \
    --certificate-authority-arn "" \
    --csr fileb://crt.pem \
    --signing-algorithm "SHA256WITHRSA" \
    --validity Value=365,Type="DAYS" \
    --region "us-east-1"

1. Copy the CertificateArn from the command output.
2. Retrieve the signed certificate:

aws acm-pca get-certificate \
    --certificate-authority-arn "" \
    --certificate-arn ""

3. Save the returned PEM content to a file named cert.crt.
   • Ensure each line (except the header/footer) contains exactly 64 characters.
   • Include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

4️⃣ Upload the Signed Certificate to Salesforce

1. In Setup → Certificate & Key Management, click Upload Certificate.
2. Choose the cert.crt file created in the previous step and Save.

5️⃣ Create a Trust Anchor in IAM Roles Anywhere

1. Open IAM Roles Anywhere in the AWS console.
2. Click Create Trust Anchor.
3. Provide a name, select the Private CA created in Step 2, and click Create Trust Anchor.

6️⃣ Create an IAM Role with a Trust Policy

Trust Policy (JSON)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "rolesanywhere.amazonaws.com"
      },
      "Action": [
        "sts:AssumeRole",
        "sts:TagSession",
        "sts:SetSourceIdentity"
      ]
    }
  ]
}

1. In the IAM console, create a new role and paste the trust policy above.
2. Attach the AmazonConnect_FullAccess policy (or a custom policy with the required permissions).

7️⃣ Create a Profile in IAM Roles Anywhere

1. In IAM Roles Anywhere, click Create Profile.
2. Enter a profile name, attach the role created in Step 6, and click Create Profile.

8️⃣ Configure Salesforce External Credential

1. Setup → Named Credentials → External Credentials → New.

2. Create a New Principal for the external credential:

3. Save the external credential.

9️⃣ Create a Named Credential

1. Setup → Named Credentials → New Named Credential.

🔟 Grant Permission to the Principal

1. Setup → Permission Sets → New.
2. Provide a label (e.g., AWS_RolesAnywhere_Access).
3. In the permission set, go to External Credential Principal Access and move connect_principal to the Enabled column.
4. Assign the permission set to the appropriate Salesforce users.

1️⃣1️⃣ Test the Integration (STS Call)

Open Developer Console → Execute Anonymous and run:

HttpRequest req = new HttpRequest();
req.setEndpoint('callout:Connect_API_Connection/?Action=GetCallerIdentity&Version=2011-06-15');
req.setMethod('GET');

Http http = new Http();
HTTPResponse res = http.send(req);
System.debug(res.getBody());

Check the debug log: a 200 status code indicates a successful STS GetCallerIdentity call.

1️⃣2️⃣ Switch the Named Credential to Amazon Connect

1. Edit the Named Credential (Connect_API_Connection).
2. Change Service from sts → connect.
3. Update URL to https://connect.us-east-1.amazonaws.com.

Test the Connect Call

HttpRequest req = new HttpRequest();
req.setEndpoint('callout:Connect_API_Connection/?Action=ListInstances&Version=2017-08-08');
req.setMethod('GET');

Http http = new Http();
HTTPResponse res = http.send(req);
System.debug(res.getBody());

A successful response confirms that Salesforce can now call Amazon Connect using IAM Roles Anywhere.

🎉 All Done!

You now have a certificate‑based, key‑less integration between Salesforce and AWS, leveraging IAM Roles Anywhere and a private CA for secure, temporary credential issuance.

References

• AWS IAM Roles Anywhere Documentation
• Salesforce External Credentials
• AWS ACM Private CA

// APN_API_Connection is the name of the named credential 
HttpRequest req = new HttpRequest();
req.setEndpoint('callout:Connect_API_Connection/?Action=GetCallerIdentity&Version=2011-06-15');
req.setMethod('GET');

Http http = new Http();
HttpResponse res = http.send(req);
System.debug(res.getBody());

Note: Open the log file to see the status.
If successful, the log will show a 200 status code along with the returned attributes, indicating a successful Amazon Connect API call from AWS.

Similar to Amazon Connect, you can configure this approach with any service that supports HTTP callouts.