IAM Roles Anywhere Authentication From Salesforce using External Credentials

Purpose
AWS security recommends not to use AWS Secret access and key and store it in external system. Hence identify how can we integrate salesforce and aws without the need to storing secret access and key.

Solution

1. STS using RolesAnywhere.
2. This is a configuration based approach and can be leveraged for any aws service.

STEPS FOR ROLES ANYWHERE

In Salesforce

1. Navigate to “Certificate and Key management” under setup.
2. Click on “Create CA- Signed Certificate”. Fill the necessary fields and save.
3. Download the csr after saving the above certificate request. CSR is certificate Signed Request. CSR will be used in the aws certificate manager later.

** the above created certificate is still not active and will need to be signed by aws certificate authority.

In AWS

1. In AWS Console (of your favorite Conduit/Isengard Account), head over to ACM PCA and Create a Private CA
2. Choose General-Purpose
3. Choose Root CA as a CA Type
4. Add relevant metadata to this Certificate.
5. Ensure the Key Algorithm Type is ECDSA P256 (This helps issue a Version 3-based CA)
6. Acknowledge the Pricing and Click on Create CA

Now, head back to the Certificate List and Choose the Certificate > Actions > Install CA Certificate.

Head over to your Terminal

1. Ensure you install the AWS CLI TOOL to access aws — https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
2. Sign the Certificate using your Private Root CA

$ aws acm-pca issue-certificate \
    --certificate-authority-arn "<PRIVATE_ROOT_CA_ARN>" \
    --csr fileb://csr.pem \
    --signing-algorithm "SHA256WITHRSA" \
    --validity Value=365,Type="DAYS" \
    --region "<Region of service>"

Sample output for above
{
“CertificateArn”: “arn:aws:acm-pca:us-east-2:767397946419:certificate-authority/cbe387d0-ac42333–48e6-sdsdacffff-0117610890e4/certificate/b47b12b3b9568e1743c071fe446ae542”
}

1. Obtain the certificate ARN from the above command and then initiate below command

$ aws acm-pca get-certificate \
    --certificate-authority-arn "<PRIVATE_ROOT_CA_ARN>" \
    --certificate-arn "<CERTIFICATE_ARN>"

Sample output
{
“Certificate”: “ — — -BEGIN CERTIFICATE — — -\nMIICpzCCAkygAwIBAgIRALR7ErO5Vo4XQ8Bx/kRq5UIwCgYIKoZIzj0EAwIwDjEM\nMAoGA1UECgwDQVdTMB4XDTI0MDIxMjE5NDU0MloXDTI1MDIxMTIwNDU0MlowUjEW\nMBQGA1UEAwwNUm9sZXNBbnlXaGVyZTEMMAoGA1UECgwDQVdTMRAwDgYDVQQHDAdT\nZWF0dGxlMQswCQYDVQQInKXsNM0f0yph/rP7GTrs8EKbmEwHQYDVR0OBBYE\nFHdJi29MK5ZoPkeVSZ6sPjO3HDlkMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU\nBggrBgEFBQcDAQYIKwYBBQUHAwIwCgYIKoZIzj0EAwIDSQAwRgIhAMJVFo6PB1Ou\nEX0LusgAhaQ7gXQG7uiiVZvs+xKgzjaiAiEAnewvhBai5APTUGUrw7+OF4/oLjHn\nMqdpfS5eXCECMCw=\n — — -END CERTIFICATE — — -”,
“CertificateChain”: “ — — -BEGIN CERTIFICATE — — -\nMIIBXDCCAQKgAwIBAgIQO8fg4AjtLfAUpxCbswj8UjAKBggqhkjOPQQDAjAOMQww\nCgYDVQQKDANBV1MwHhcNMjQwMjEyMTg1MjA1WhcNMzQwMjEyMTk1MjAxWjAOMQww\nCgYDVQQKDANBV1MwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATMaZgZ8sOVHrqc\nimzB30S4yQhTwkJtd5Woz1JtodDSO1l37450dBpjkQE1M9YDWTKks3XB9zp6+3/U\no3qrJepFo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSmcpew0zR/TKmH\n+s/sZOuzwQpuYTAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwIDSAAwRQIgU4n4\n/g3eSU1Z7YDx+nipQCaHNSOKrGd4o8M/26aMFVECIQCrQTk2l/2j46Boln6Q4nCy\n2mtn3GUanOiSZndBuVflsQ==\n — — -END CERTIFICATE — — -”
}

Now on Mac create a file on editor and copy the certificate between “BEGIN CERTIFICATE” and “END CERTIFICATE”. Include these lines in the certificate and extension of .crt for the file.

1. While saving the file make sure you delete the “\n” and press enter for new line. Certificate each row has to 64 characters long for it to be recognized as a certificate.

In AWS

1. Naviagte to IAM Roles Anywhere and create a trust anchor and trust profile using the same certificate created above in aws
2. Navigate to the ROLE you will be using in AWS and provide necessary policy permission for the service role will be accessing.
3. In the trust relationship of the above role assign policy to allow user and rolesanywhere service to assume this role.

In Salesforce

1. Navigate to external credentials in salesforce under setup→ Named Credentials.
2. Create a new external credentials and chose AWS Signature version 4 as authentication protocol.
3. Fill out the other fields with region , Trust anchor ARN and profile.
4. Save the external credential.
5. Go to principals section within the external credential created above and add a principal with the IAM role ARN.

** Do not worry about STS based access key and secret they will be generated on the fly based on the authentication and will expire based on the STS duration field in the external credentials.

1. Go to permission set and assign the user Named credential permission set.(Create one if there is no named credentials permission set)
2. In the permission set give “Named Credential access” and “External Credential Principal Access”
3. Navigate to “Named Credentials” from Setup. Create a new Named credential.
4. In the URL provide the URL for your service.
5. In the external credentials provide the external credential created above.
6. Check the checkbox “Enabled for Callouts” and “Generate Authorization Header”.

THATS IT!!!!!

Now Navigate to dev console and execute callout script

HttpRequest req = new HttpRequest();
req.setEndpoint('callout:<Named Credential>');
req.setMethod('GET');
Http http = new Http();
HTTPResponse res = http.send(req);
System.debug(res.getBody());