Salesforce

The following are the requirements and connection instructions for using Salesforce with Amazon AppFlow.

Note

You can use Salesforce as a source or destination.

Requirements

• Your Salesforce account must be enabled for API access. API access is enabled by default for the Enterprise, Unlimited, Developer, and Performance editions.

• Your Salesforce account must allow you to install connected apps. If this functionality is disabled, contact your Salesforce administrator. After you create a Salesforce connection in Amazon AppFlow, verify that the connected app named Amazon AppFlow Embedded Login App is installed in your Salesforce account.

• The refresh token policy for the Amazon AppFlow Embedded Login App must be set to Refresh token is valid until revoked. Otherwise, your flows will fail when your refresh token expires. For more information on how to check and edit the refresh token policy, see Manage OAuth Access Policies for a Connected App in the Salesforce documentation.

• You must enable change data capture in Salesforce to use event-driven flow triggers. For more information on how to enable this, see Select Objects for Change Notifications in the User Interface in the Salesforce documentation.

• If your Salesforce app enforces IP address restrictions, you must grant access to the addresses used by Amazon AppFlow. For more information, see AWS IP address ranges in the Amazon Web Services General Reference.

• To create private connections using AWS PrivateLink, you must enable both Manager Metadata and Manage External Connections user permissions in your Salesforce account. Private connections are currently available in the us-east-1 and us-west-2 AWS Regions.

Connection instructions

• Connect to Salesforce while creating a flow

• Use a global connected app with Amazon AppFlow

• Create a global connected app in Salesforce

To connect to Salesforce while creating a flow

1. Open the Amazon AppFlow console at https://console.aws.amazon.com/appflow/.

2. Choose Create flow.

3. For Flow details, enter a name and description for the flow.

4. (Optional) To use a customer managed CMK instead of the default AWS managed CMK, choose Data encryption, Customize encryption settings and then choose an existing CMK or create a new one.

5. (Optional) To add a tag, choose Tags, Add tag and then enter the key name and value.

6. Choose Next.

7. Choose Salesforce from the Source name or Destination name dropdown list.

8. Choose Connect or Connect with PrivateLink to open the Connect to Salesforce dialog box.

   1. Under Salesforce environment, choose Production to log into your developer account.

   2. Under Data encryption, enter your AWS KMS key.

   3. Under Connection name, specify a name for your connection.

   4. Choose Continue.

   

9. You will be redirected to the Salesforce login page. When prompted, grant Amazon AppFlow permissions to access your Salesforce account.

10. After you log in, you will see the objects that you enabled in your Salesforce account in the Choose Salesforce object dropdown list.

Now that you are connected to your Salesforce account, you can continue with the flow creation steps as described in Getting started with Amazon AppFlow.

Tip

If you aren’t connected successfully, ensure that you have followed the instructions in the Requirements section above.

Use a global connected app with Amazon AppFlow

• You can use your own global connected app for Salesforce with Amazon AppFlow APIs. For instructions on how to create a connected app in Salesforce, see Create a global connected app in Salesforce.

• To use your own global connected app, you need to pass on the clientId, clientSecret, and Secrets Manager secret ARN to Amazon AppFlow.

  • The following example shows a sample Secrets Manager secret with application credentials for Salesforce:

    {
        "clientCredsARN": "arn:aws:secretsmanager:region:SecretID:secret:Secret_Key",
        "Name": "Salesforce",
        "VersionId": "db83aeb0-e995-480a-81f3-8805b0bf2b79",
        "SecretString": "{\"clientId\":\"sampleClientId\",\"clientSecret\":\"sampleClientSecret\"}"
    }

  • This example shows how you can call the ConnectorProfile API with an access token, refresh token, and credentials ARN:

    {
        "connectorProfileName": "testSalesforceProfileNew",
        "kmsArn": null,
        "connectorType": "Salesforce",
        "connectionMode": "Public",
        "connectorProfileConfig": {
            "connectorProfileProperties": {
                "salesforce": {
                "instanceUrl": "InstanceURL",
                "isSandboxEnvironment": false
                }
            }
         }
    },
    "connectorProfileCredentials": {
        "salesforce": {
        "clientCredsARN": "arn:aws:secretsmanager:region:SecretID:secret:Secret_Key",**
        "accessToken": "testAccessToken",
        "refreshToken": "testRefreshToken",
        "oauthRequest": {
            "authCode": null,
            "redirectUri": null
                        }
                       }
       }

• You must attach a resource policy to the Secrets Manager secret and the KMS key which is used encrypt the secret. This resource policy allows Amazon AppFlow to read the secret and use it.

  • The following is the policy to be attached for the KMS key. Replace the placeholder with your own information.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "appflow.amazonaws.com"
          },
          "Action": [
            "kms:Encrypt",
            "kms:GenerateDataKey",
            "kms:Decrypt"
          ],
          "Resource": "<KMS key ARN>"
        }
      ]
    }

    Additionally, supports adding confused deputy protection to this KMS key policy. To learn about the confused deputy problem and mitigations, refer to our Amazon S3 documentation. The following example shows how you can use the aws:SourceArn and aws:SourceAccount global condition context keys in your AWS KMS key to prevent the confused deputy problem. Replace Account ID with your AWS account ID and Resource ARNs with a list of ARNs for any connector profiles created with the client credentials secret. Additionally you may use wildcards in the aws:SourceAccount key (*). For example, you can replace Resource ARNs with arn:aws:appflow:region:accountId:* to give access to all Amazon AppFlow created resources created on your behalf.

    {
    "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal":    {
                    "Service": "appflow.amazonaws.com"
                    },
                "Action": [
                "kms:Encrypt",
                "kms:GenerateDataKey",
                "kms:Decrypt"
                ],
                "Resource": "<KMS key ARN>",
                "Condition": {
                    "StringEquals": {
                           "aws:SourceAccount":"<Account ID>"
                    },
                    "ArnLike": {
                    "aws:SourceArn":"<Resource ARNs>"
                    }
                }
            }
        ]
    }

  • The following is the policy to be attached for the secret. Replace the placeholder with your own information.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "appflow.amazonaws.com"
          },
          "Action": "secretsmanager:GetSecretValue",
          "Resource": "<Secret ARN>"
        }
      ]
    }

Create a global connected app in Salesforce

Follow these instructions to create a connected app in Salesforce if you haven't done so already.

To create a global connected app in Salesforce

1. Log in to Salesforce with an account that has administrator rights, and go to Setup.

2. In the navigation pane under Platform Tools, expand Apps and choose App Manager.

3. Choose New Connected App in the upper-right corner, and enter the following information for your connected app:

   • The name of your connected app, such as "Amazon AppFlow Embedded Login App".

   • The API name for your connected app. This is auto-generated and can be edited, if needed.

   • The contact email address for Salesforce to use if they need to contact you about your connected app.

   • The logo image URL and icon, if you have one. This is optional.

   • A brief description to specify what the connected app is for, such as "Application which handles interaction between Salesforce and Amazon AppFlow console".

4. Select the Enable OAuth Settings check box.

5. In the Callback URL text field, enter the URLs for your console for the stages and Regions in which you will use the connected app. Enter these URLs on separate lines.

6. Select the Require Secret for Web Server Flow check box.

7. In the Available OAuth Scopes list, select the following items and then choose add to move them to the Selected OAuth Scopes list. You can customize this list as needed.

   • Access and manage your data (api)

   • Access custom permissions (custom_permissions)

   • Access your basic information (id, profile, email, address, phone)

   • Allow access to your unique identifier (openid)

   • Perform requests on your behalf at any time (refresh_token, offline_access)

8. Choose Save.

To retrieve the client ID and client secret for use in your OAuth flow, you can view your connected app in Salesforce by choosing Apps and then App Manager, and then selecting the connected app that you created.

For more information on connected apps in Salesforce, see Connected Apps in the Salesforce documentation.

Notes

• If you are transferring more than 1 million Salesforce records, you cannot choose any Salesforce compound field. Amazon AppFlow uses Salesforce bulk APIs for the transfer, which does not allow the transfer of compound fields.

• Amazon AppFlow only supports the automatic import of newly created Salesforce fields into Amazon S3 without requiring the user to update their flow configurations.

• When you use Salesforce as a source, you can import 15 GB of data as part of a single flow run. To transfer over 15 GB of data, you can split your workload into multiple flows by applying the appropriate filters to each flow. Salesforce records are typically 2 KB in size, but can be up to 4 KB. Therefore, 15 GB would be approximately 7.5 million Salesforce records.

• When you use Salesforce as a source, you can run schedule-triggered flows at a maximum frequency of one flow run per minute.

• Amazon AppFlow added support for Salesforce API version 50.0 on January 19th, 2021. Flows associated with all Salesforce connections created after this date will use Salesforce API version 50.0, while flows for all previously created connections will use Salesforce API version 47.0.

• Amazon AppFlow supports Change Data Capture Events and Platform events from Salesforce.

• When you use Salesforce as a destination, the following additional settings are available:

Setting name	Description
Insert new records	This is the default data transfer option. When you choose this setting, Amazon AppFlow inserts your source data into the chosen Salesforce object as a new record.
Update existing records	When you choose this setting, Amazon AppFlow uses your source data to update existing records in Salesforce. For every source record, Amazon AppFlow looks for a matching record in Salesforce based on your criteria. You can specify matching criteria on the Map data fields page. To do so, select a field in the source application and map it to a Salesforce record ID field using the dropdown list. When a matching record is found, Amazon AppFlow updates the record in Salesforce. If no matching record is found, Amazon AppFlow ignores the record or fails the flow per your chosen error handling option. You can specify your error handling preferences on the Configure flow page. Please note that you must use the upsert operation in order to update existing records using an external id field. The standard update operation does not support use of an external id field.
Upsert records	When you choose this setting, Amazon AppFlow performs an upsert operation in Salesforce. For every source record, Amazon AppFlow looks for a matching record in Salesforce based on your criteria. You can specify matching criteria on the Map data fields page. To do so, select a field in the source application and map it to a Salesforce external field using the dropdown list. When a matching record is found, Amazon AppFlow updates the record in Salesforce. If no matching record is found, Amazon AppFlow inserts the data as a new record. Any errors in performing the operation are handled per your chosen error handling option. You can specify your error handling preferences on the Configure flow page.

Related resources

• Amazon AppFlow now supports new Salesforce integrations in the AWS What's new blog

• Amazon AppFlow now supports private data transfers between AWS and Salesforce in the AWS What's new blog

• Building Salesforce integrations with EventBridge and Amazon AppFlow in the AWS Compute blog

• Building Secure and Private Data Flows Between AWS and Salesforce Using Amazon AppFlow in the AWS Partner Network (APN) blog

• Using Amazon AppFlow to Achieve Bi-Directional Sync Between Salesforce and Amazon RDS for PostgreSQL in the AWS Partner Network (APN) blog

• Salesforce Private Connect Demo in the Salesforce documentation

• Manage OAuth Access Policies for a Connected App in the Salesforce documentation

• Select Objects for Change Notifications in the User Interface in the Salesforce documentation

• AWS IP address ranges in the Amazon Web Services General Reference

• How to insert new Salesforce records with data in Amazon S3 using Amazon AppFlow