By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SalesForce + AppFlow issue creating connector profile

0

This is the request I am sending:

response = appflow_client.create_connector_profile(
    connectorProfileName='test-connector',
    connectorType='Salesforce',
    connectionMode='Public',
    connectorProfileConfig={
        'connectorProfileProperties': {
            'Salesforce': {
                'instanceUrl': 'my_instance_url',
                'isSandboxEnvironment': False,
            },
        },
        'connectorProfileCredentials': {
            'Salesforce': {
                'clientCredentialsArn': "my_secret_arn",
                'oAuth2GrantType': 'CLIENT_CREDENTIALS',
            }
        }
    }
)

This is the shape of my secret:

{"clientId":"my_client_id","clientSecret":"my_client_secret"}

And this is the error I am getting:

ClientError: An error occurred (ClientException) when calling the CreateConnectorProfile operation: Unable to fetch the client credentials. Secrets Manager returned the following error:Inconsistent secret state. Try again later.

Any guidance on what I am missing? Is my secret formatted wrong?

Topics
Application Integration
Tags
Amazon AppFlow
Language
English
tjtoll
asked 2 months ago164 views
1 Answer
0

Hello,

Thanks for reaching out to AWS re:Post with your AWS AppFlow query.

The error message is a client error that shows that the secret is in an inconsistent state. This response is returned directly from SecretsManager.

You can simply try to access the secret from your account using the AWS CLI, as it will return an error explaining the root cause. When trying to create the connector, you should see a GetSecretValue API call recorded in CloudTrail which would contain the error for why AppFlow was unable to retrieve the Secret.

The problem commonly occurs if you use the default KMS key to encrypt the Secret, and then create the flow without setting a customer CMK. So Appflow is trying to use the AWS managed KMS key to decrypt the secrets. Essentially, Secret Manager and AppFlow are using different KMS keys (i.e., "aws/secretsmanager" and "Amazon AppFlow-managed KMS key" respectively) to encrypt and decrypt the data. If this is the case, you will need to use a CMK to encrypt the Secret and give AppFlow permissions to use that key. When creating the profile, you will then use that key.

You can specify a KMS key for AppFlow to use by setting the 'kmsArn': [+] https://docs.aws.amazon.com/appflow/1.0/APIReference/API_CreateConnectorProfile.html#API_CreateConnectorProfile_RequestSyntax

Thank you.

Theolin_G
answered 2 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content