Populate External Credential Principals
Though named and external credentials are represented by metadata, the standard Metadata API can’t fully expose the definition of a credential and render sensitive information like tokens in plain text. This means that packaged credentials don’t include the access tokens or certificates that are needed for users to perform authenticated callouts.
After you install the managed package, you can use the UI or the Connect REST API to populate tokens or certificates in the external credential or its principals. These sections include the access details that you must populate based on your authentication protocol, as well as Connect REST API code samples. For more information about using the Connect REST API for named credentials, see Named Credentials Resources in the Connect REST API Developer Guide.
After you install a package with a credential that uses an OAuth 2.0 authentication protocol, the steps that you must take depend on the OAuth 2.0 variant.
External credentials that use the OAuth 2.0 authentication protocol with the Browser Flow variant reference an authentication provider created in the subscriber org. For more information, see Authentication Provider SSO with Salesforce as the Relying Party.
After you install the package, you must create an authentication provider in the subscriber org. Then, use the Connect API or UI to assign the authentication provider to the installed external credential.
This code example uses a PUT request to add an authentication provider to the external credential.
External credentials that use the OAuth 2.0 authentication protocol with the JWT Bearer Flow variant reference a signing certificate created in the subscriber org. After you install the package, you must create a signing certificate in the subscriber org. Then, use the Connect API or UI to assign the signing certificate to the installed external credential.
This code example uses a PUT request to add a signing certificate to the external credential.
External credentials that use the OAuth 2.0 authentication protocol with the Client Credentials with JWT Assertion variant reference a client identifier as well as a signing certificate created in the subscriber org. After you install the package, you must assign a signing certificate to the external credential and populate the client ID.
This code example uses two Connect API requests: A PUT request to add a signing certificate to the external credential, and a POST request to populate the client ID.
First, add the signing certificate to the credential.
Next, populate the client ID.
External credentials that use the OAuth 2.0 authentication protocol with the Client Credentials with Client Secret Flow variant include a client identifier and client secret. After you install the package, you must populate the client ID and client secret.
This code example uses a POST request to populate the client ID and client secret.
After you install a package with a credential that uses an AWS Signature v4 authentication protocol, the steps that you must take depend on the protocol’s variant.
External credentials that use the standard AWS Signature v4 variant use an access key and secret to authenticate. After you install the package, you must populate the access key and secret.
This code example uses a POST request to populate the access key and secret.
External credentials that use the AWS STS variant with the STS principal type use a long-term access key and secret to authenticate. After you install the package, you must populate the access key and secret.
This code example uses a POST request to populate the access key and secret.
External credentials that use the AWS STS variant with the named principal type use a Role Amazon Resource Name (ARN) certificate to authenticate. After you install the package, you must populate the role ARN certificate.
This code example uses a POST request to populate the role ARN certificate.
External credentials that use the AWS STS Roles Anywhere variant use a certificate to request temporary, limited-privilege credentials controlled via IAM policies and roles. After you install the package, you must populate the role ARN certificate.
This code example uses a POST request to populate the role ARN certificate.
With the Custom authentication protocol, each user implements custom credentials. Nothing is required after you install the package, but you can use a POST request to populate custom user-specified credentials.
This code example uses a POST request to populate an API key.
External credentials that use the JWT authentication protocol reference a signing certificate created in the subscriber org. After you install the package, you must create a signing certificate in the subscriber org. Then, use the Connect API or UI to assign the signing certificate to the installed external credential.
This code example uses a PUT request to add a signing certificate to the external credential.
External credentials that use the Basic authentication protocol authenticate with a static username and password. Basic authentication supports two identity types:
- Named Principal: A Salesforce admin uses one username and password to authenticate into the external system on behalf of all users.
- Per User Principal: Each user accessing the external system manages their own username and password.
After you install a credential that uses Basic authentication, you must populate the username and password.
This code example uses a POST request to populate a named principal username and password.
This code example uses a POST request to populate a per-user principal username and password.