Configure REST API with Salesforce External Client App (ECA) and AWS Secret Manager for Service Cloud Voice

InvokeSalesforceRestApiFunction Lambda function calls the Salesforce REST API. You can place this Lambda function within a contact flow to create, update, or query Salesforce records.

Migrate from SSM Parameter Store to AWS Secrets Manager.

Previously Service Cloud Voice used SSM Parameter Store to store certificates and configurable values. In Contact Center version 19.0 and later, these values are stored in Secrets Manager. Lambda function environment variables now include the Secrets Manager name.

Contact Center Version 19.X

Salesforce is transitioning from Connected Apps to External Client Apps (ECAs) to improve security, packaging, and DevOps, often allowing a direct migration of app management within the Salesforce org. This shift separates developer settings from administrator policies, enabling better management of OAuth and SAML. The migration process is initiated in App Manager by clicking "Migrate to External Client App" for existing connected apps.

Migrating Connected Apps to External Client Apps

The prerequisite is to create a private key and a self-signed digital certificate, which you can do using OpenSSL.

1. Install OpenSSL on your laptop. While there are no specific steps here, you can find installation guides via a web search.
2. Once OpenSSL is installed, follow the steps in the document below to generate the private key and self-signed digital certificate:

Create a Private Key and Self-Signed Digital Certificate

Create an External Client App

• Setup → External Client App Manager → New External Client App
• Enter App Name, API Name, Contact Email, and Description.
• In API, enable OAuth settings.
• Callback URL: http://localhost:1717/OauthRedirect
• Selected OAuth scopes:
  • Manage user data via APIs (api)
  • Perform requests at any time (refresh_token, offline_access)
• Leave everything else as default and create.

Once the app is created, navigate to Policies → Edit
Under App Policies

• Provide access to the client app using profiles or permission sets.
• For example, selected profiles: System Administrator.

Under OAuth Policies

• Permitted Users: Admin approved users are pre-authorized.
• Refresh Token Policy: Refresh token is valid until revoked.
• IP Relaxation: Relax IP restrictions.
• Save.

Under Settings tab → Click Edit

• Go to OAuth Settings → Flow Enablement → Enable JWT Bearer Flow.
• Upload the "server.crt" file that you created earlier with OpenSSL.
• Under Security, enable only "Require secret for Web Server Flow" and disable all other options.
• Save.

Once the External Client App is ready, you will need to replace the Rest API Connected App ID in the Contact Center metadata

• Retrieve the metadata of your contact center and find the Rest API Connected App ID value in it.
• Replace the Rest API Connected App ID with the App ID of the External Client App.
• Deploy the metadata again.

Log in to the AWS Console with the root user and navigate to Lambda service
Make sure you are in the correct region and select and open the InvokeSalesforceRestApiFunction associated with your contact center.

• Go to → Configuration → Environment variables.
• Make sure the following three environment variables are present (Case Sensetive):

ACCESS_SECRET_NAME AbsoluteUnifiedCC-salesforce-access-secret
LOG_LEVEL debug
SECRET_NAME AbsoluteUnifiedCC-salesforce-secret

The prefix "AbsoluteUnifiedCC" is the name of the contact center. Make sure it matches the name of your contact center.

Navigate to AWS Secrets Manager and make sure you are in the correct region

• Open AbsoluteUnifiedCC-salesforce-secret.
• Under Overview → Secret value → Click on Retrieve secret value.
• Click Edit and make the changes described below.

AbsoluteUnifiedCC-salesforce-rest-api-audience

• For Production: https://login.salesforce.com/
• For Sandbox: https://test.salesforce.com/

AbsoluteUnifiedCC-salesforce-rest-api-auth-consumer-key

• Navigate to Salesforce External Client Apps Manager and open the app that you created earlier.
• Go to Settings → Under OAuth Settings → App Settings → Click on "Consumer Key Secret".

• It will ask for a verification code sent to the user's email address.
• Once the verification code is authenticated, note or copy the consumer key.
• Navigate back to the AWS AbsoluteUnifiedCC-salesforce-rest-api-auth-consumer-key and paste the consumer key you copied from Salesfroce.

AbsoluteUnifiedCC-salesforce-rest-api-auth-private-key

• Navigate to the folder where you created the private key and the self-signed digital certificate using OpenSSL.
• Locate the "server.key".
• Use the help article below to convert the server.key file to a plain text file as Secrets Manager supports only plain text values.
• How to Convert and Upload the REST API Private Key in Plain Text for Salesforce Voice
• Once the modified file is created, open it in a text editor and copy the entire content.
• Navigate to AWS AbsoluteUnifiedCC-salesforce-secret and edit the secret value.
• Click on PlainText and search for "AbsoluteUnifiedCC-scrt-jwt-auth-private-key".
• Then paste the plain text key value you copied in the plain text format.
• Please refer to the screenshot below for the part to edit.

AbsoluteUnifiedCC-salesforce-rest-api-subject

• Navigate to the Salesforce Users section and copy the username of the System Admin user who you will use as the REST API user.
• For example, I used the username of one of my System Admin users in Salesforce.

AbsoluteUnifiedCC-scrt-jwt-auth-private-key: Leave as is.
CALL_CENTER_API_NAME: Make sure this is your correct contact center API name.
SALESFORCE_AUTH_ENDPOINT: Leave as is.
SALESFORCE_ORG_ID: Confirm the Org ID is correct.
SALESFORCE_REST_API_ENDPOINT_BASE: Leave as is.
SCRT_ENDPOINT_BASE: Leave as is.
TRANSCRIBE_REGION: Make sure the region is correct.

Navigate to InvokeSalesforceRestApiFunction associated with your contact center to test the REST API
Test OAuth with Service Cloud Voice Lambda Function

Once you have opened the Lambda function, navigate to TEST and scroll down to Event JSON or the code test area.
Remove everything from the Event JSON and use the code snippet below for testing.

{
  "Details": {
    "Parameters": {
      "methodName": "queryRecord",
      "soql": "SELECT Id, Name FROM Account LIMIT 1"
    }
  }
}

Scroll up and click the TEST button.

If the setup is correct, this will display the result in the Details section.