Use Identity Provider–Based Authentication for S3 Connectors

Add an identity provider (IdP) and create the necessary policies in AWS to use IdP-based authentication when connecting to an S3 bucket using S3 connectors.

Before you begin, refer to Set Up Amazon S3 Connection and create an S3 connection. Copy the generated External ID.

  1. Add an identity provider for Salesforce in AWS.

    1. In the navigation pane of IAM, choose Identity providers, and then choose Add provider.

    2. For Configure provider, choose OpenID Connect.

    3. Enter the My Domain URL details for the provider URL and audience.

      IdP Details in AWS Management ConsoleURL FormatExample
      Provider URLMy Domain URL/services/connectors>https://dlt0000007luz2am-dev-ed.develop.test1.my.pc-rnd.salesforce.com/services/connectors
      Audience<My Domain URLhttps://dlt0000007luz2am-dev-ed.develop.test1.my.pc-rnd.salesforce.com

      To find the My Domain URL of your org, go to Setup, click Settings, and then Company Settings. Click My Domain to find your Current My Domain URL. For more information, see My Domain.

    4. Verify the information you provided and choose Add provider.

      IAM attempts to retrieve and use the top intermediate CA thumbprint of the OIDC IdP server certificate to create the IAM OIDC identity provider.

  2. Create the necessary roles in AWS for the Data Cloud S3 connector to connect with an S3 bucket. See Creating a role using custom trust policies (console).

  3. Associate a permission policy to the role. See Amazon S3 Bucket Policies and Permissions to know the permission policies that can be applied to the role.

  4. Associate a trust policy to the role using the External ID obtained during the S3 connection setup.

    Sample trust policy

  5. Get the Amazon Resource Name (ARN) of the role and use it as the IAM Role Name to Set Up Amazon S3 Connection.