Newer Version Available

This content describes an older version of this product. View Latest

Set Up OAuth in the AWS Lambda Function

These instructions describe how to set up OAuth on your Amazon Connect instance.
Before you start, open a text file so you can copy some parameter values or keys.

Starting with contact center version 19.0, configuration parameters are stored in the AWS Secrets Manager instead of the SSM Parameter Store. The contact center agnostic configuration values are stored in environment variables. The contact center specific configuration values are stored in the respective Secrets Manager for each contact center.

All the Lambda functions read the configuration parameters from the Secrets Manager. For the contact center versions before 19.0, the Lambda functions continue to read the configuration parameters from the SSM Parameter Store

  1. Log in to the AWS Console > Lambda > Functions. Log in with your root user email which you used to create a contact center during Service Cloud Voice setup. If this is your first login, reset your password.
  2. Select the {Your Contact Center Name}-InvokeSalesforceRestApiFunction Lambda function.
  3. For contact center versions below 19.0, click the Configuration tab and scroll down to Environment variables. Some of the variables are already configured for your instance, but you have to set the values for CONSUMER_KEY_PARAM_NAME, PRIVATE_KEY_PARAM_NAME, and SUBJECT parameters.

    Environment variables

    For contact center versions 19.0 or later, go to Secrets Manager from Services. In the Secrets page, locate your contact center's secret. The secret name is prefixed with callCenterApiName for partner Amazon contact centers or LambdaPrefix for multi-org contact centers. For provisioned contact centers, the secret name is also available in the Lambda functions environment variable. Then, set the CONSUMER_KEY_PARAM_NAME, PRIVATE_KEY_PARAM_NAME, and SUBJECT keys within that secret.
    Secrets Manager

    If you’re testing this functionality in a sandbox org, make sure that the secrets for contact center versions 19.0 or later, and environment variables for contact center versions below 19.0, point to the sandbox domain (or to test.salesforce.com) instead of login.salesforce.com: AUDIENCE, SALESFORCE_AUTH_ENDPOINT, SALESFORCE_REST_API_ENDPOINT_BASE.

    For contact center versions below 19.0, the name of the secret is specified in the Lambda environment variables. Use the secret name to locate the corresponding AWS secret and update the values within the secret to use your sandbox domain.

    Note

    1. Copy the values for the CONSUMER_KEY_PARAM_NAME, PRIVATE_KEY_PARAM_NAME keys or parameters and paste them into a text file. For contact center versions 19.0 or later, these values are the names of the keys within a single secret that hold the actual credentials. For contact center versions below 19.0, these values are the names of the SSM parameters that hold the actual credentials.
    2. For the SUBJECT variable, enter the Salesforce username of the user you want to log in to Salesforce through the Lambda function. The user must have access to the objects that the Lambda function will be executed on.
    3. In the connected app in Salesforce, check that the user is added to the connected app profile. From Setup in your Salesforce org, go to App Manager. Open the action menu for the connected app, click Manage, and scroll to the bottom of the page to see the profiles. Verify that the Permitted Users value is set to "Admin approved users are pre-authorized" for the desired profile. To learn more about OAuth access policies, see Manage OAuth Access Policies for a Connected App.
  4. For contact center versions below 19.0, in the parameter store, search for the CONSUMER_KEY_PARAM_NAME value and the PRIVATE_KEY_PARAM_NAME value that you copied to the text file.
    For contact center versions 19.0 or later, there are no CONSUMER_KEY_PARAM_NAME and PRIVATE_KEY_PARAM_VALUE secrets, instead these are keys. For example testbyoacvos1-salesforce-rest-api-auth-consumer-key.
    Secrets Value
  5. For the Consumer Key, update the value by clicking Edit and pasting the value of the consumer key from the connected app into the Value field.

    When editing key and value of secrets, use Plaintext mode so that it does not reformat the certificate.

    Note

    To update keys in a secret, format the key and then update the key in Secrets Manager.

    1. To format the multi-line key into a single line, copy the private key in a notepad and append line breaks \r\n or run the command in terminal.
      cat <<EOF | awk '{printf "%s\\r\\n", $0}' PASTE YOUR Certificate > EOF

      If you use Windows, you can also run this command to format the key: (Get-Content privateKey.pem | Where-Object {$_ -ne ""}) -join "\n" | Set-Content private_five.key

      Copy the formatted single-line key.

      Multi-line key before formatting:

      Key before formatting

      Formatted single-line key:

      Key after formatting
    2. In Secrets Manager, select the secret for the contact center.
    3. Select Retrieve secret value and click Edit, select the Plaintext view, and paste the formatted single-line key for the appropriate key.
    4. Save your changes.

    You can also use AWS sdk to update the key in the secret.

    Secrets
    Secrets Value

    If you didn’t already copy the Consumer Key from your app, you can get that value from your Salesforce org. From Setup, enter Apps in the Quick Find box, and select App Manager. Click View in the dropdown menu for your connected app. Copy the value for the Consumer Key from the connected app page.

    Note

    Connected app consumer key

  6. Save your changes.
  7. Update the value of the private key by clicking Edit and pasting the private key into the Value field. For the private key, you need the key that you previously used to sign the self-signed certificate. By default, this key is stored locally to a file named server.key.

    The private key isn’t the same as the consumer secret, although both are generated by the same key. The private key begins with “-----BEGIN RSA PRIVATE KEY-----” and ends with “-----END RSA PRIVATE KEY-----”. Be sure to include that BEGIN and END text as part of the key value.

    Note

  8. Save your changes.

It can take a few minutes before the changes are applied to the connected app.

Note