Rotation of S3 Credentials with Metadata API

Use the Metadata API to rotate the S3 credentials and enable access to AWS. To update the S3 credentials you must retrieve the metadata of S3 connectors, modify the S3 credentials, and deploy the metadata.

Familiarize Yourself with Salesforce CLI and Workbench

You can retrieve or deploy S3 connector metadata by using Salesforce CLI and Workbench. We recommend that you get familiar with using either of the options to ensure a smooth update of S3 credentials.

Define the Metadata of S3 Connector

You can use an unpackage.xml file to define the metadata to retrieve. In this case, include the DataConnectorS3 metadata type. Include all the S3 connectors that you want to update the credentials for. This sample unpackage.xml file illustrates how to work with S3 connector metadata. A best practice is to name the unpackage.xml file with a low-level qualifier of .xml such as DataConnectorS3.xml.

1<?xml version="1.0" encoding="UTF-8"?>
2<Package xmlns="http://soap.sforce.com/2006/04/metadata">
3    <types>
4        <members>Contact_Point_Addr</members>
5        <name>DataConnectorS3</name>
6    </types>
7    <types>
8        <members>Contact_Point_Phone</members>
9        <name>DataConnectorS3</name>
10    </types>
11    <types>
12        <members>Contact_Point_Email</members>
13        <name>DataConnectorS3</name>
14    </types>
15    <version>54.0</version>
16</Package>

If you’re using Salesforce CLI to retrieve, then save the file to a directory that can be accessed when using the CLI.

Note

Retrieve the Metadata of S3 Data Connector

Follow either of these options and retrieve the metadata for S3 data connector.

Update the S3 Access Key and Secret Key

  1. Extract the contents of the metadata file.
    1mkdir <location to unzip>
    2cd <location to unzip>
    3unzip <filename.zip to unzip> (the default filename will be unpackaged.xml)
    Here’s how the extracted folder structure looks like.
    S3 data connectore metadata folder structure
  2. Edit the files referenced in the s3DataConnectors directory. Update the attributes s3AccessKey and s3SecretKey. Here's a sample of contents of the files for S3 connectors metadata.
    1<?xml version="1.0" encoding="UTF-8"?>
    2<DataConnectorS3 xmlns="http://soap.sforce.com/2006/04/metadata">
    3    <delimiter>,</delimiter>
    4    <fileNameWildcard>ContactPointEmail_*.csv</fileNameWildcard>
    5    <importFromDirectory>DTX_2020_01/ContactPointEmail/</importFromDirectory>
    6    <masterLabel>Contact_Contact_Point_Email_DTX_01</masterLabel>
    7    <s3AccessKey>*</s3AccessKey>
    8    <s3BucketName>asd-aws-s3-bucket-01</s3BucketName>
    9    <s3SecretKey>*</s3SecretKey>
    10</DataConnectorS3>

Create the S3 Connectors Package for Deployment

After changes are made to all S3 Connectors files, create a zipped package. Make sure that the package.xml file is at the top-most level of the package. Navigate down to unpackaged directory and run this command.
1cd <location of unzipped files>
2zip -r -X s3Connectors.zip *
Here’s the output of the command.
1adding: package.xml (deflated 60%)
2  adding: s3DataConnectors/ (stored 0%)
3  adding: s3DataConnectors/Contact_Contact_Point_Addr_DTX_01.s3DataConnector (deflated 43%)
4  adding: s3DataConnectors/Contact_Contact_Point_Phone_DTX_01.s3DataConnector (deflated 43%)
5  adding: s3DataConnectors/Contact_Contact_Point_Email_DTX_01.s3DataConnector (deflated 43%)

Deploy DataConnectorS3 Metadata

Follow either of these options to deploy the metadata for S3 data connector.

Verify the Metadata Deployment

To verify if the metadata is deployed, refresh an impacted data stream where the S3 access key and secret key is modified. Click Refresh Now on at least one of the data streams to validate the change. A successful refresh indicates a successful update of S3 credentials.

Refresh a CDP data stream to check S3 credential update