SalesForce + AppFlow issue creating connector profile

Question

This is the request I am sending:
```
response = appflow_client.create_connector_profile(
    connectorProfileName='test-connector',
    connectorType='Salesforce',
    connectionMode='Public',
    connectorProfileConfig={
        'connectorProfileProperties': {
            'Salesforce': {
                'instanceUrl': 'my_instance_url',
                'isSandboxEnvironment': False,
            },
        },
        'connectorProfileCredentials': {
            'Salesforce': {
                'clientCredentialsArn': "my_secret_arn",
                'oAuth2GrantType': 'CLIENT_CREDENTIALS',
            }
        }
    }
)
```

This is the shape of my secret:
```
{"clientId":"my_client_id","clientSecret":"my_client_secret"}
```

And this is the error I am getting:
```
ClientError: An error occurred (ClientException) when calling the CreateConnectorProfile operation: Unable to fetch the client credentials. Secrets Manager returned the following error:Inconsistent secret state. Try again later.
```

Any guidance on what I am missing? Is my secret formatted wrong?

Answer

Hello,

Thanks for reaching out to AWS re:Post with your AWS AppFlow query.

The error message is a client error that shows that the secret is in an inconsistent state. This response is returned directly from SecretsManager.

You can simply try to access the secret from your account using the AWS CLI, as it will return an error explaining the root cause. When trying to create the connector, you should see a GetSecretValue API call recorded in CloudTrail which would contain the error for why AppFlow was unable to retrieve the Secret.

The problem commonly occurs if you use the default KMS key to encrypt the Secret, and then create the flow without setting a customer CMK. So Appflow is trying to use the AWS managed KMS key to decrypt the secrets. Essentially, Secret Manager and AppFlow are using different KMS keys (i.e., "aws/secretsmanager" and "Amazon AppFlow-managed KMS key" respectively) to encrypt and decrypt the data. If this is the case, you will need to use a CMK to encrypt the Secret and give AppFlow permissions to use that key. When creating the profile, you will then use that key.

You can specify a KMS key for AppFlow to use by setting the 'kmsArn':
[+] https://docs.aws.amazon.com/appflow/1.0/APIReference/API_CreateConnectorProfile.html#API_CreateConnectorProfile_RequestSyntax

Thank you.

SalesForce + AppFlow issue creating connector profile

관련 콘텐츠