Set Up Salesforce Connect to Access Amazon RDS Data

Prepare your Salesforce org to access external data hosted by Amazon RDS by completing these steps.

Obtain access to a Salesforce org to set up and test your configuration. The sample data in this example represents a scenario where customer data is stored in Salesforce and order and product data are stored in Amazon RDS. Even though these are disparate data sources, the Order table has a foreign key identifying the customer who placed the order. This foreign key is used to create an indirect lookup that links orders to accounts in Salesforce. Load the sample data, and explore how customer data in Salesforce can be augmented with data from the external system.

  • Create a text field customerID on the Account object. Mark the field as an external ID and unique.

  • Import the data from the sample-customers.csv as Accounts and Contacts using the Data Import Wizard. Make sure to import the first column into the new customerID field.

  • Populate the new customerID field with the value CUST-3675 on a test Account.

    The order data stored in Amazon RDS can be viewed as a related list on the Account page.

Define the connectivity and authentication to the GraphQL API endpoint as a named credential in Salesforce. The AWS server resources, created by running the CloudFormation template, are accessed from Salesforce (client application) via HTTP callouts. Named Credentials define the URL of the remote endpoint and capture its authentication parameters in the linked external credential.

The Salesforce Platform supports the use of permission sets to control which users are authorized to make callouts. All users, including System Administrators, need permissions to make the callout to the Amazon AppSync API.

  1. From Setup, in the Quick Find box, enter Permission Sets, and then select Permission Sets.

  2. Click New.

    You can also identify a permission set shared by users who are authorized to make callouts. In a production environment, where many users need permissions to make this callout, consider adding the permission to a permission set group.

  3. Specify the label as Access External Systems, and enter other permission set information.

  4. Click Save.

  5. Click Manage Assignments, and then click Add Assignments to assign Access External Systems permission set to the identified users.

  6. Follow the wizard to complete the process.

Use external credentials to set up an API Key and capture the authentication configuration required to access the Amazon AppSync endpoint.

  1. From Setup, in the Quick Find box, enter Named Credentials, then select Named Credentials.

  2. Click External Credentials, click New, and then set these fields.

    • Label: API Key Auth for AppSync

    • Name: APIKeyAuthForAppSync

      Note the name to use when adding a custom header.

    • Authentication Protocol: Custom

  3. Save the external credential.

After creating the external credential, store the API key securely, and then link its access to the Access External Systems permission set.

  1. On the external credential’s page, scroll to Principals.
  2. To create a principal, click New, and then set these fields.
    • Name: APIKey
    • Value: Paste the API key that you copied from Amazon AppSync.
  3. Click Save.

  1. From Setup, in the Quick Find box, enter Named Credentials, then select Named Credentials.

  2. Click External Credentials.

  3. Under Custom Headers, click New, and then set these fields.

    • Name: x-api-key

      This format is as required by Amazon AppSync and becomes the name of the header in the HTTP callout.

    • Value: {!$Credential.APIKeyAuthForAppSync.APIKey}

      With this merge field syntax, you can reference the API key without reducing security by hard-coding the secret value in clear text.

  4. Click Save.

After you create the external credential with custom authentication protocol and Access External Systems permission set to use for authenticating the AWS RDS, configure the named credential to specify the callout endpoint.

  1. From Setup, in the Quick Find box, enter Named Credentials, then select Named Credentials.
  2. Click Named Credentials, click New, and then complete these fields.
    • Label: AppSync API
    • Name: Press the Tab key to generate a developer name (AppSyncAPI).
    • URL: Paste the URL of the GraphQL API endpoint from Amazon AppSync.
    • External Credential: Select the API Key Auth for AppSync external credential that you created.
    • Allow Formulas in HTTP Header: Select this option to ensure that the formula referencing the API key is resolved correctly and not interpreted as literal text.
  3. Click Save.

Named credentials reference external credentials, which specify authentication protocols and authorization information. In turn, external credentials leverage user external credentials to store encrypted authentication tokens. Any user performing an authenticated callout needs profile based, or permission set based, access to user external credentials.

  1. From Setup, in the Quick Find box, enter Profiles, and then select Profiles.

  2. Click the profile for whom you want to enable user external credentials.

  3. Scroll to Standard Object Permissions, and select User External Credentials.

  4. Check the boxes for the user external credential access that you want to give this user profile.

    You must grant read, create, edit, and delete access even if the user is a system admin.

  5. Save the settings.

Create Salesforce’s representation of the external data source, and create the external objects via metadata sync. The AppSync GraphQL API acts as an external data source in Salesforce, which results in one or more external objects.

To create an external data source:

  1. From Setup, in the Quick Find box, enter External Data Sources, then select External Data Sources.
  2. Click New External Data Source, and complete these fields.
    • External Data Source: Order Mgmt API
    • Name: Press the Tab key to generate a developer name (OrderMgmtAPI).
    • Type: GraphQL
    • Named Credential: AppSync API
    • Writable External Objects: Select this option to edit data stored in Amazon RDS from Salesforce.
  3. Click Save.

To create external objects:

  1. From Setup, in the Quick Find box, enter External Data Sources, then select External Data Sources.
  2. Click the name of the external data source that you created for the database managed via GraphQL.
  3. Click Validate and Sync. The potential external objects to add to Salesforce are listed. Tweak the Name and Label fields to increase readability. External Data Source
  4. Select all three tables, and click Sync to create Salesforce external objects.