Search code examples
salesforceamazon-appflow

amazon-appflow create new connector profile returns service error

I'm trying to leverage aws-appflow to retrieve data from salesforce, but can't create a connector profile using boto3. I keep getting Service Error

my attempt:

    appflow.create_connector_profile(
      connectorProfileName='appflow-sfdc-test',
      kmsArn='{{ encryption-key-arn }}',
      connectorType='Salesforce',
      connectionMode='Public',
      connectorProfileConfig={
        'connectorProfileProperties': {
            'Salesforce': {
                'instanceUrl': 'https://{{ our-domain }}.my.salesforce.com',
                'isSandboxEnvironment': False
            }
        },
        'connectorProfileCredentials': {
            'Salesforce': {  
                'accessToken': '{{ access-token }}',
                'refreshToken': '{{ refresh-token }}',
                'clientCredentialsArn': '{{ secretsmanager arn with the client id & secret }}'
            }
        }
      }
    )

# returns this error
botocore.errorfactory.InternalServerException: An error occurred (InternalServerException) when calling the CreateConnectorProfile operation (reached max retries: 4): Service Error

I'm unsure what I'm doing wrong. I thought I was following their instructions properly, and I can't figure out where to get more information about this error.

Solution

  • AWS documentation for AppFlow Salesforce integration is a bit confusing.

    Below is a working AWS CLI snippet:

    aws appflow create-connector-profile \
--connector-profile-name salesforce-connector \
--connector-type Salesforce \
--kms-arn arn:aws:kms:$region:$account_id:key/$key_id \
--connection-mode Public \
--connector-profile-config '{
    "connectorProfileProperties": {
        "Salesforce": {
            "instanceUrl": "https://your-domain.my.salesforce.com",
            "isSandboxEnvironment": false
        }
    },
    "connectorProfileCredentials": {
        "Salesforce": {
            "oAuthRequest": {
                "authCode": $oauth_authorization_code,
                "redirectUri": $redirect_uri
            },
            "clientCredentialsArn": "arn:aws:secretsmanager:$region:$account:secret:$secret"
        }
    }
}'

    Note that we don't need accessToken and refreshToken as they will be fetched on creation using authCode and credentials from clientCredentialsArn.

    Another bit is that Secret Manager secret should be encrypted using the same KMS key as in --kms-arn parameter.

    The clientCredentialsArn secret content should look similar to:

    {
  "clientId": "XXX",
  "clientSecret": "YYY"
}