IAM Roles Anywhere With Salesforce

Purpose:
Authenticate IAM Roles Anywhere through Salesforce Named Credentials, a best practice to authenticate when using AWS
services from Salesforce. These steps are not unique and may already exist in your environment, please check if your org is
using SCCH. In order to enable this authentication, the following steps are required in your Isengard or Conduit AWS Account.

PRE-REQUISITES

● An existing Isengardor ConduitAccount, with write access.

● An existing Salesforce Org.
● For deployment to Production: AppSec or InfoSec approval.

IAM ROLES ANYWHERE SETUP

This package uses IAM Roles Anywhere through Salesforce Named Credentials, a best practice in Salesforce/AWS
Authentication. These steps are not unique to implementing this package, and may already exist in your environment. In order to
enable this authentication, the following steps are required in your Isengard or Conduit AWS Account.

● Create a Private CA in your Isengard or Conduit Account:

○ Login to AWS through Isengard or Conduit
○ Search for Private Certificate Authority in the global search bar
○ Select Create a private CA
○ Enter the following information:
■ Mode Options: General-purpose
■ CA type options: Root
■ Organization: Amazon or AWS, team dependent
■ Organization Unit: Your team's organizational unit
■ Country Name: United States
■ State or province name: State project is based
■ Locality name: City the project is based
■ Common Name: Leave blank
■ Key algorithm options: RSA 2048
■ Leave all other options default
■ If asked, acknowledge the pricing by checking the box
○ Select Create CA
○ Select the Private CA > Actions > Install CA Certificate. This will change the status from Pending to Active.
● Create a Trust Anchor
○ From Identity Access Manager (IAM), select Roles
○ In the Roles anywhere section, select Manage
○ Select Create a Trust Anchor
○ Enter a Trust anchor name that conforms to your team naming conventions
○ Select AWS Certificate Manager Private CA > the AWS Certificate Manager Private CA create above > Select
 Create Trust Anchor
● Create an IAM Role:
○ Create an IAM Role to contain the permissions the user authenticating with Roles Anywhere will have. This will limit
what resources the authenticated user has access to.
○ Login to AWS through Isengard or Conduit
○ Search for IAM in the global search bar
○ Select Roles > Create Role > Custom Trust Policy
○ Modify the added JSON to match the below JSON, updating "region" to your AWS region, "account" to your 12-digit
AWS account ID, and "TA_ID" to the ID of the Trust Anchor created above.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"rolesanywhere.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole",
"sts:TagSession",
"sts:SetSourceIdentity"
],
"Condition": {
"ArnEquals": {
"aws:SourceArn": [
"arn:aws:rolesanywhere:region:account:trust-anchor/TA_ID"
]
}
}
}
]
}

○ Enter a Role name that conforms to your project naming conventions.

○ Select Create Role
● Create a Policy to allow the Role access to your service
○ From IAM, Select Policies > Create Policy
○ Switch to the JSON View
○ Copy the following policy value into the editor
For [serviceType] [ServiceName] please check onboarding document

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "[serviceType]",
 "Effect": "Allow",
"Action": [
"[serviceName]:[serviceType]"
],
"Resource": [
"*"
]
}
]
}

○ Name: Name_of_your_policy
○ Return to your IAM Role
○ Select Attach Policies > Name_of_your_policy > Save
● Create IAM Profile
○ From IAM, select Roles
○ In the Roles Anywhere section, select Manage
○ Select Create a profile
○ Enter a Profile name that conforms to your team's naming conventions
○ Select the Role you created above
○ Remove the inline policy
○ Select Create a profile
● Create Salesforce Certificate
○ Login to Salesforce
○ Navigate to setup through the gear icon
○ Search for Certificate and Key Management
○ Select Create CA-Signed Certificate
■ Label: A descriptive label that conforms to your team naming conventions
■ Unique Name: Auto-populated
■ Common Name: Roles-Anywhere
■ Company: Amazon or AWS, team dependent
■ State/Province: The state or province of the team
■ Key size: 2048
■ City: The City of the team
■ Country Code: Country of the team
○ Select Download Certificate Signing Request
● Sign the Salesforce Certificate
○ Note: The following steps can also be done with the AWS CLI.
■ Login to AWS through Isengard or Conduit
■ Select CloudShell through the icon in the top bar
■ In the opened terminal, select the Actions Dropdown > Upload File > Select file > select the .csr file you
downloaded above > Select upload
■ You can confirm the file has been uploaded successfully with the ls command
■ Enter the following command aws acm-pca issue-certificate
 —certificate-authority-arn [YOUR_AWS_PRIVATE_CA_ARN] —csr fileb://[NAME_OF_YOUR_FILE]

■ An ARN for a new certificate should be returned, save this ARN.

■ In the terminal, enter the following command:

aws acm-pca get-certificate —certificate-authority-arn [YOUR_CERTIFICATE_AUTHORITY_ARN

■ The text version of the certificate will be returned. Copy this value and paste it into a text editor.
■ Replace all "\n" with a new line (enter key)
■ Save the text file with a .crt extentsion
■ Navigate to Salesforce setup through the gear icon
■ Search for Certificate and Key Management
■ Select your CA Signed Certificate > Upload Signed Certificate > Select the .crt file you created
● Create External Credential
○ From Salesforce setup, search Named Credentials
○ Select the External Credential Tab
○ Select New
■ Name: “Name_of_your_external_credential”
■ Authentication Protocol: AWS Signature Version 4
■ Service: Name of your service (ex: Bedrock, Quicksight)
■ Region: us-east-1
■ AWS Account ID: your 12-digit AWS account ID
■ Obtain Temporary IAM Credentials via STS: Checked
■ Credential Type: Roles Anywhere
■ Trust Anchor ARN: Your Trust Anchor ARN
■ Profile ARN: The ARN of the Roles Anywhere Profile created above
■ Signing Certificate: The certificate you created in Salesforce Certificate and Key Manager
■ Select Save
■ In the Principals Section of the External Credential page, click New.
■ Parameter Name: “main”
■ For the IAM Role ARN field, enter the arn of the IAM role created above.
● Assign Credential
○ Navigate to Permission Sets
○ Select your Permission Set > External Credential Principal Access > “Name_of_your_credential - main”
● Create Named Credentials
○ Select the Named Credential Tab
○ Select New
○ Name: “Name_of_your_named_credential”
○ URL: “URL of your service”
○ External Credential: Name_of_your_external_credential
○ Leave all other options as default
 ○ Select Save

CONFIRM AUTHENTICATION:

Map<String, ConnectApi.CredentialValueInput> credentialMap = new Map<String, ConnectAp

ConnectApi.Credential awsCredential = null;
ConnectApi.CredentialValueInput roleCredential = new ConnectApi.CredentialValueInput(
roleCredential.encrypted = false;
roleCredential.value = 'arn:aws:iam::[accountID]:role/[roleName]';
credentialMap.put('awsRoleArn', roleCredential);

ConnectApi.NamedCredential namedCredential = ConnectApi.NamedCredentials.getNamedCred

ConnectApi.CredentialInput credentialInput = new ConnectApi.CredentialInput();
credentialInput.principalName = 'main';;
credentialInput.principalType = ConnectApi.CredentialPrincipalType.NAMEDPRINCIPAL;
credentialInput.externalCredential = 'Name_of_your_external_credential';;
credentialInput.authenticationProtocol = ConnectApi.CredentialAuthenticationProtocol.A
credentialInput.authenticationProtocolVariant = ConnectApi.CredentialAuthenticationPro
credentialInput.credentials = credentialMap;

awsCredential = ConnectApi.NamedCredentials.createCredential(credentialInput, ConnectA

system.debug(awsCredential);