Create or Edit an AWS Signature v4 External Credential
To authenticate callouts to resources in Amazon Web Services over HTTP, create an external credential that uses the AWS Signature v4 protocol.
Required Editions
| Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience |
| Available in: all editions |
| User Permissions Needed | |
|---|---|
| To view external credentials: | View Setup and Configuration |
| To create, edit, or delete external credentials: | Manage Named Credentials or Customize Applications |
Named credentials support two variants of the AWS Signature v4 authentication protocol: IAM User Identified by Access Key and Roles Anywhere.
- From Setup, in the Quick Find box, enter Named Credentials, and then select Named Credentials.
- Click External Credentials.
- To create a new external credential, click New. To edit an existing external credential, click its link in the list of external credentials and then click Edit.
- Complete the fields.
Field Description Label A user-friendly name for the external credential that’s shown in the Salesforce user interface, such as in list views. Name A unique identifier that’s used to refer to this external credential from callout definitions and through the API.
The name can contain only underscores and alphanumeric characters. It must be unique, begin with a letter, not include spaces, not end with an underscore, and not contain two consecutive underscores.
Authentication Protocol Choose AWS Signature 4. Service The name of an AWS service, such as DynamoDB or Athena. Region An AWS geographic region, such as us-west-1 (United States West). AWS Account ID Optional. The 12-digit number that uniquely identifies your AWS account. Obtain Temporary IAM Credentials via STS Optional. If you want to use STS, select this checkbox. Then, select one of these credential types.
- IAM User Identified by Access Key
- Roles Anywhere (Assume an IAM Role via Certificate)
See Authentication Protocols for Named Credentials for information on these variants.
If you’re using Amazon API Gateway, configure the gateway response for expired tokens so that it returns a 400 or 401 HTTP code. Then Salesforce can refresh the token when it expires. A 403 code doesn’t cause a token refresh, because it’s reserved for scenarios where the token is valid but the caller doesn’t have access to the resource.
- If you selected the Obtain Temporary IAM Credentials via STS
checkbox, the fields vary based on the credential type that you choose.
For the IAM User Identified by Access Key credential type, complete these fields.
Field Description STS Access Key The access key ID for the AWS access key. STS Access Secret The access secret for the AWS access key. STS External ID The AWS
ExternalIdvalue that can be used when delegating account access to a third party. This value helps ensure that only a specified third party can access the role.Using an external ID ensures that the server side can identify Salesforce as the client assuming the IAM Role. Use the format:
salesforceIntegration-unique_phraseFor example:
salesforceIntegration-abc123STS Duration Optional. Numeric value in seconds, for example, 3600. Maximum value: 43200 (12 hours).Additional Status Codes for Token Refresh Specify HTTP status codes that trigger Salesforce to refresh expired or invalid access tokens, in addition to the standard 401response.For the Roles Anywhere credential type, complete these fields.
Field Description Trust Anchor ARN The Amazon Resource Name for the trust anchor. A trust anchor is either a reference to AWS Private Certificate Authority (AWS Private CA) or another CA certificate. Profile ARN The Amazon Resource Name for the Amazon profile. Profiles are predefined sets of permissions that are applied after successfully authenticating with Roles Anywhere. Profiles map to one or more IAM roles. Signing Certificate A certificate from AWS, via a CA (certificate authority), and uploaded to Salesforce through Certificate and Key Management. STS Duration Optional. Numeric value in seconds, for example, 3600. Maximum value: 43200 (12 hours). Additional Status Codes for Token Refresh Specify HTTP status codes that trigger Salesforce to refresh expired or invalid access tokens, in addition to the standard 401response. - Save the external credential.You’re taken to the Named Credentials screen.
Create Principals for AWS Signature v4
After you’ve created an external credential that uses AWS Signature v4 authentication, create principals for it. These principals get mapped to permission sets and profiles.
- On the Named Credentials page, click External Credential.
- Select the external credential you created.
- Scroll to Principals.
- Click New to create a principal for this external credential, or
choose Edit from the Actions menu of an existing principal.When editing an existing principal, not all the fields listed here are modifiable.
- Complete the following fields. If you’re using STS, the Access Key and Secret fields are
disabled and display the temporary credentials, if any.
Field Description Parameter Name Enter a name for the principal, such as Admin or Marketing Group. Sequence Number Assign a sequence number. A sequence number specifies the order of principals to apply when a user participates in more than one principal. For example, a user could be part of multiple permission sets that are applicable for a credential provider. Priority is from lower to higher numbers. Access Key Optional. The access key ID for the AWS access key. Access Secret Optional. The access secret for the AWS access key. IAM Role ARN Optional. The Amazon Resource Name (ARN) of the role that the credential assumes. - Save the principal.You can’t modify the Principal Name and Identity Type of an existing principal. To change these parameters, delete the principal and recreate it.
Now that you created the external credential and its principal, it’s time to create the connected name credential. See Create or Edit a Named Credential. For an overview of all of the steps required to configure a named credential, see Create Named Credentials and External Credentials.
