---
id: 04-salesforce-lambdas-manual-setup
title: Setting Up The Salesforce Lambdas Manually
---
import useBaseUrl from "@docusaurus/useBaseUrl";
Below are manual setup instructions for the Salesforce Lambdas.
})
## Salesforce Lambda Prerequisites
Consider the following prerequisites before you install the Lambda
package.
### Determine your production Environment
In your installation notes, enter the value for "Production Environment"
as "true" or "false", depending on whether the Salesforce environment
that you are deploying the package into is a production or a sandbox.
For Production, enter "true". For Sandbox enter "false".
### Determine your Consumer Key and Secret
To leverage the full potential of the integration, Salesforce data needs
to be accessed from AWS environment. The AWS Serverless package comes
with a set of pre-built queries to lookup, update and create Salesforce
objects within Amazon Connect Contact Flows, in form of AWS Lambda
functions.
The Lambda function access Salesforce using the Salesforce REST API. To
get access to the environment, a Connected App must be configured with
OAuth settings enabled.
1. Log in to Salesforce
2. Navigate to Setup \> Create \> Apps
})
3. Click on the "New" button for the Connected Apps at the bottom of the page
4. In the following form, fill out the Connected App Name, API Name and Contact Email with values of your choice. We recommend "Amazon Connect Integration" as the Connected App Name and the default value for the API name.
})
5. Select the checkbox next to "Enable OAuth Settings" as shown below.
})
6. Set the **Callback URL** to your domain url. Find the domain at _Setup_ -> _My Domain_.
})
7. Ensure Selected OAuth Scopes has the following values selected:
a. Access the identity URL service (id, profile, email, address, phone)
b. Manage user data via APIs (api)
8. Select the checkbox "Require Secret for Web Server Flow", and the checkbox "Require Secret For Refresh Token Flow"
})
9. Click "Save" at the bottom of the screen.
10. Click "Continue" on the next screen
})
11. Once the app has been created, on the app's detail screen, please copy the "Consumer Key" value to your installation notes
})
12. Select "Click to reveal" next to Consumer Secret and record this value to "Consumer Secret" in your installation notes.
13. Click "Manage" at the top of the page
})
14. On the page that appears, click "Edit Policies"
15. Set "Permitted Users" to "Admin approved users are pre-authorizes"
})
16. Click "OK" on the pop-up dialog:
})
17. Set "IP Relaxation" to "Relax IP restrictions"
})
18. Click "Save"
### Determine your Username, Password and Security Token
The authentication of the Lambda Functions requires valid user
credentials. It is a common practice to create an API user account for
this purpose.
1. Log in to Salesforce
2. Navigate to Setup \> Manage Users \> Profiles
3. Click "New Profile"
4. Enter the Profile Name (i.e. "API Only")
5. Select the existing profile to clone (The integration user\'s access to just those objects required for the integration)
})
NOTE: You\'re advised to use a full Salesforce License for the user to
be able to set the below permissions and have full access to avoid any
other errors.
6. Click "Save". A New Profile is created:
})
7. Once the new profile page opens, select the **System Permissions** button
})
8. If the Lightning Experience User checkbox is selected, clear it
})
9. Save the system permissions, then go back to Profile Overview
10. Select the _Password Policies_ link, click edit
})
})
11. Set **User password expire in** to **Never expires** **NOTE:** Failure to this may lead to production outages.
})
12. Select **Save**
13. Navigate to Setup \> Manage Apps \> Connected Apps
14. Select the app you have created in the previous step (i.e. Amazon Connect Integration)
})
15. Click "Manage Profiles"
})
16. Ensure the "API Only" profile is selected:
})
17. Click "Save" at the bottom of the page
18. Navigate to Setup \> Manage Users \> Users
19. Click "New User"
})
20. Set necessary fields: Last Name, Alias, Email, Username, Nickname
})
21. On the right-hand side, set the User License and Profile
})
22. Click "Save"
23. In **Quick Find**, search for "Permission Sets". Select the **AC_Administrator** permission set.
})
24. Select **Manage Assignments**. Add the apiuser you just created to the permission set.
25. A confirmation email will be sent, with an activation link. Click the link to activate your user.
})
Change (set) a password for apiuser (Considered a strong that contains
at least 20 random characters):
})
26. Click "Change Password"
27. Access the apiuser personal settings by selecting the username in the top right corner, then "My Settings".
})
28. Type "Security Token" in the Quick Find box and click "Reset My Security Token".
})
29. Your security token will be emailed to you
})
30. Copy the security token from the email in to your installation notes for the "Access Token" value.
### Allowing the API user to authenticate using password
The api user created above authenticates using username-password flow in Salesforce. This flow needs to be unblocked and to do that, go to _Setup_ and in the Quick Find box, search for __OAuth and OpenID Connect Settings__. After that, make sure that the toggles for __Allow OAuth Username-Password Flows__ and __Allow OAuth User-Agent Flows__ are turned ON, as shown in below image.
})
### Store Salesforce credentials in AWS Secrets Manager
To ensure that your Salesforce credentials are secure, the Lambdas
require that the credentials are stored in AWS Secrets Manager. AWS
Secrets Manager is a highly secure service that helps you store and
retrieve secrets.
1. In a new browser tab, login to the AWS console
2. Make sure you are in the same region as your Amazon Connect
instance. You can set the region by expanding the region selector in
the upper right and choosing the region
})
3. Navigate to the [Secrets Manager
console](https://console.aws.amazon.com/secretsmanager/home)
4. Select **Secrets**
5. Select **Store a new secret**
6. Select **Other types of secrets**
7. Make sure **Secret key/value** is selected
8. Enter key value pairs that match the following:
a. **Key:** Password, **Value:** the password for the API user that
you configured in the previous section
b. **Key:** ConsumerKey, **Value:** the Consumer Key for the
Connected App you created in the previous section
c. **Key:** ConsumerSecret, **Value:** the Consumer Secret for the
Connected App you created in the previous section
d. **Key:** AccessToken, **Value:** this is the access token for
the API user that you configured in the previous section
9. For the encryption key, click "Add new key"
10. Select **Create Key**
11. Make sure key type is set to **symmetric**
12. Give your key an **alias**, like
*SalesforceCredentialsSecretsManagerKey*
13. Click Next
14. Select administrators you want to have access permission to change
the key policy. Make sure you are being as restrictive as possible
15. Click Next
16. Select the users and roles you want to have access to the Salesforce
credentials in Secrets Manager. Make sure you are being as
restrictive as possible
17. Click Next
18. Click Finish
19. Navigate back to the Secrets Manager setup tab
20. Select the key you just created
})
21. Click Next
22. Give your secret a name, like *SalesforceCredentials*
23. Click Next
24. Make sure **automatic rotation** is disabled.
25. Click Next
26. Click Store
27. Select the secret you just created, and copy the Secret ARN
})
28. You should now have all of the information you need to install the
package
## Install the Amazon Connect Salesforce Lambda package
1. Login into your AWS Account
2. Navigate AWS Serverless Application Repository
()
})
3. Click on the Search (magnifying glass) and type in Amazon Connect
Salesforce.
})
4. Select AmazonConnectSalesForceLambdas and click "Deploy"
})
5. Fill in all Salesforce related fields in "Configure application
parameters".\
All values should be available in your installation notes:
})
})
6. The Lambda package includes additional features which can be enabled
or disabled, based on particular use-case:
1. **Application name:** You can accept the default here or change
it as desired
2. **AmazonConnectInstanceId:** You Amazon Connect Instance Id.
Only required if you enable real time reporting
3. **CTRKinesisARN:** This is the ARN for the Kinesis stream that
was configured for Contact Trace Record streaming in Amazon
Connect. This is the complete ARN. Amazon Kinesis Firehose is
not supported.
4. **ConnectReportingS3BucketName:** This is the name of the S3
bucket used to store exported reports for your Amazon Connect
instance. This is ONLY the bucket name, no sub-folders or
suffixes
5. **HistoricalReportingImportEnabled:** true \| false - if set to
true, the package will include a feature to import Amazon
Connect Queue and Agent Historical Metrics into your Salesforce
Org. This feature requires you to provide
**ConnectReportingS3BucketName**
6. **LambdaLoggingLevel:** DEBUG \| INFO \| WARNING \| ERROR \|
CRITICAL - Logging level for Lambda functions
7. **PrivateVpcEnabled:** Set to true if functions should be
deployed to a private VPC. Set VpcSecurityGroupList and
VpcSubnetList if this is set to true.
8. **RealtimeReportingImportEnabled:** true \| false - if set to
true, the package will include a feature to publish Amazon
Connect Queue Metrics into your Salesforce Org. This feature
requires you to provide **AmazonConnectInstanceId**
9. **SalesforceAdapterNamespace:** This is the namespace for CTI
Adapter managed package. The default value is **amazonconnect**.
If a non-managed package is used, leave this field blank.
10. **SalesforceCredentialsKMSKeyARN:** This is the ARN for KMS
customer managed key that you created in the previous section.
11. **SalesforceCredentialsSecretsManagerARN:** This is the ARN for
the Secrets Manager Secret that you created in the previous
section.
12. **SalesforceHost:** The full domain for your salesforce org. For
example
`https://mydevorg-dev-ed.my.salesforce.com`.
Please make sure that the host starts with `https`, and that the url
ends with `.my.salesforce.com`. This url can be found in `Setup` -> `My Domain`.
13. **SalesforceProduction:** true \| false - True for Production
Environment, False for Sandbox
14. **SalesforceUsername:** The username for the API user that you
configured in the previous section. Salesforce usernames are in the form of an email address.
15. **SalesforceVersion:** This is the Salesforce.com API version
that you noted in the previous section. The pattern of this value is ```vXX.X```.
16. **TranscribeOutputS3BucketName:** This is the S3 bucket where
Amazon Transcribe stores the output. Typically, this is the same
bucket that call recordings are stored in, so you can use the
same value as found in **ConnectRecordingS3BucketName**. Not
required if PostcallRecordingImportEnabled,
PostcallTranscribeEnabled, ContactLensImportEnabled set to false.
17. **VpcSecurityGroupList:** The list of SecurityGroupIds for
Virtual Private Cloud (VPC). Not required if PrivateVpcEnabled
is set to false.
18. **VpcSubnetList:** The list of Subnets for the Virtual Private
Cloud (VPC). Not required if PrivateVpcEnabled is set to false.
19. **AmazonConnectQueueMaxRecords:** Enter record set size for list
queue query. Max is 100.
20. **AmazonConnectQueueMetricsMaxRecords:** Enter record set size
for queue metrics query. Max is 100.
21. **CTREventSourceMappingMaximumRetryAttempts:** Maximum retry
attempts on failure for lambdas triggered by Kinesis Events.
22. **ConnectRecordingS3BucketName:** This is the name of the S3
bucket used to store recordings for your Amazon Connect
instance. This is ONLY the bucket name, no sub-folders or
suffixes
23. **ContactLensImportEnabled:** true \| false - Set to false if
importing Contact Lens into Salesforce should not be enabled.
24. **PostcallCTRImportEnabled:** true \| false - Set to false if
importing CTRs into Salesforce should not be enabled on the
package level. This setting can be disabled on a call-by-call
basis.
25. **PostcallRecordingImportEnabled:** true \| false - Set to false
if importing call recordings into Salesforce should not be
enabled on the package level. This setting can be disabled on a
call-by-call basis.
26. **PostcallTranscribeEnabled:** true \| false - Set to false if
post-call transcription should not be enabled on the package
level. This setting can be disabled on a call-by-call basis.
27. **TranscriptionJobCheckWaitTime:** Time between transcription
job checks
7. Once completed, click "Deploy" function:
})
8. The package provides a single Lambda function (sfInvokeAPI) that
supports multiple operations, like lookup, create and update. For
the initial validation, sample events are provided within the
function. Click on the function name and check the list of files in
the editor.
})
9. To validate a phone number lookup, double-click on
event-phoneLookup.json file and copy the text in your clipboard.
})
10. In the top-right corner, click the drop-down arrow next to the
"Test" button and select "Configure test events"
})
11. Select "Create new test event", set Event name (i.e. phoneLookup)
and paste the JSON payload you've copied in the previous step.
})
12. Click "Create" button
13. From the drop-down list, select your "eventLookup" and click "Test"
button
})
14. If successful, the result will contain fields defined in "sf_fields"
parameter in the invocation event
})
15. As a next step, we are going to use the ContactId provided and
create a Case in Salesforce. Double-click on "event-create.json"
file and set the ContactId value from the previous step. Copy the
JSON text into your clipboard.
})
16. In the top-right corner, click the drop-down arrow next to the
"Test" button and select "Configure test events"
})
17. Select "Create new test event", set Event name (i.e. createCase) and
paste the JSON payload you've copied in the previous step.
})
18. Click "Create" button
19. From the drop-down list, select your "createCase" and click "Test"
button
})
20. If successful, the result will contain a Case Id for newly created
case:
})
21. As defined in the event payload, Status is "New" and Priority is
"Low". We are going to use the update operation to close the case.
Copy the Case Id provided in the previous step, then double-click on
"event-update.json" file and paste the Case Id in "sf_id" parameter:
})
22. In the top-right corner, click the drop-down arrow next to the
"Test" button and select "Configure test events"
})
23. Select "Create new test event", set Event name (i.e. closeCase) and
paste the JSON payload you've copied in the previous step.
})
24. Click "Create" button
25. From the drop-down list, select your "closeCase" and click "Test"
button
})
26. If successful, the result will be HTTP code 204 ("No Content"
success code):
})
27. Login in to Salesforce and search for Case and it's details. The
Case status should be "Closed".