Loading
About Salesforce Data 360
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Configure an AWS Identity Provider for Clean Room Activation

            You are here:

            1. Salesforce Help
            2. Docs
            3. Data 360

            Configure an AWS Identity Provider for Clean Room Activation

            For each clean room activation collaboration invitation, configure your AWS account so that Data 360 can securely write query results to your S3 bucket, then accept the invitation in Data 360.

            Required Editions

            Available in: All Editions supported by Data 360. See Data 360 edition availability.
            User Permissions Needed
            To accept a clean room activation invitation:

            One of these permission sets:

            • Data Cloud Architect
            • Data Cloud Activation Manager
            • Data Cloud Activation Specialist

            Data 360 uses an AWS IAM role with an OpenID Connect (OIDC) trust policy to write collaboration results directly to the provider's S3 bucket. The provider maintains full ownership of the data — Data 360 has write-only access to the specific S3 path you configure, scoped to this collaboration only.

            1. Complete the prerequisites.
              1. If you don't have access to a dedicated AWS environment, create one.
              2. In Data 360, go to the Clean Room tab and open the pending activation collaboration invitation and note these values.
                • Consumer Salesforce Domain URL — used as the identity provider URL
                • External ID — a unique identifier scoped to this collaboration

            Set Up Your AWS Environment

            1. Add Salesforce as an OpenID Connect (OIDC) identity provider.

              An identity provider tells AWS which external system is allowed to request access to your AWS resources. Without this step, AWS doesn't recognize tokens issued by Data 360 and rejects the connection.

              1. In the AWS Management Console, go to IAM > Identity providers and click Add provider.
              2. For the Configure provider field, choose OpenID Connect.
              3. For the Provider URL, enter the Consumer Salesforce Domain URL followed by /services/connectors.
                For example: https://yourorg.my.salesforce.com/services/connectors
              4. For Audience, enter the Consumer Salesforce Domain URL without any path suffix.
                For example: https://yourorg.my.salesforce.com
              5. Click Add provider.
            2. Select or create an S3 bucket for activation results.

              This is the bucket where Data 360 writes the matched audience output after the consumer runs an activation query. You can use an existing bucket or create a dedicated one.

              Note the S3 bucket name and path — you enter this value as the Amazon S3 URL in Data 360, in the format s3://your-bucket-name/optional-prefix/.

              Note
              Note Data 360 appends collaboration-specific metadata to your provided path. If you provide s3://my-results/, the final data resides at: s3://my-results/[Collaboration Name]/[Query Name]_[Timestamp]/[Data Files]. Each query run creates a folder. Results are written as parquet files.
            3. Create the necessary IAM roles.

              See Creating a role using custom trust policies (console).

              On the Add permissions screen, add permissions that can check whether an appropriate bucket exists and can be written to. See Amazon S3 Bucket Policies and Permissions for the permission policies you can apply to the role.

              Copy the Amazon Resource Name (ARN) of the IAM role. You enter this value in the Accept Clean Room Collaboration Invitation wizard.

            4. Apply the trust policy to the IAM role.

              In the Custom trust policy section, click Edit trust policy and replace the existing JSON with the following template.

              {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::[YOUR_ACCOUNT_ID]:oidc-provider/[SALESFORCE_CONSUMER_URL]/services/connectors"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "[SALESFORCE_CONSUMER_URL]/services/connectors:sub": "[EXTERNAL_ID]"
        }
      }
    }
  ]
}

              Replace the placeholders with the following values.

              Placeholder Required Value Where to find the Value
              <YOUR_ACCOUNT_ID> Your 12-digit AWS account ID. Top-right menu in the AWS console.
              <SALESFORCE_CONSUMER_URL> The Consumer Salesforce Domain URL without https://. For example: yourorg.my.salesforce.com. Consumer Salesforce Domain URL on the Data 360 invitation screen. This value appears in two places in the policy — the Principal ARN and the Condition key.
              <EXTERNAL-ID> The External ID value. External ID on the Data 360 invitation screen.
            5. Before returning to Data 360, confirm that you have these values from AWS — you enter them in the acceptance wizard.
              Value Where to find it in AWS
              Amazon IAM Role ARN The Role ARN you copied when creating the IAM role in step 3
              Amazon S3 URL The S3 bucket path from step 2, in the format s3://your-bucket-name/optional-prefix/

            Accept the Collaboration Invite in Data 360

            1. Return to the Accept Clean Room Collaboration Invitation screen in Data 360 and complete the standard acceptance steps: select a data space and create a mapped template.
            2. In the AWS Trust Relationship section, verify that the External ID and Consumer Salesforce Domain URL values shown on screen match what you used in the trust policy in AWS.
              These values are read-only — they're shown here so that you can confirm that your AWS setup is correct before proceeding.
            3. In the AWS Connection Settings section, enter the values you noted at the end of Step 2.
              • Amazon IAM Role ARN — the ARN of the role you created
              • Amazon S3 URL — the S3 path where results are written
            4. Click Test Connection.

              Data 360 verifies the OIDC trust, IAM permissions, and S3 path access. If the test fails, check that:

              • The sub condition in the trust policy exactly matches the External ID shown on screen.
              • The OIDC provider URL and Audience in AWS match the Consumer Salesforce Domain URL from the invitation.
              • The <CONSUMER-DOMAIN> placeholder in the trust policy doesn't include https://.
              • The IAM role ARN is correct and the role has S3 write permissions.
            5. Click Next and accept the invitation.
             
            Loading
            Salesforce Help | Article