Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

how to integrate AWS glue with Salesforce using JWT bearer token

0

Hi Folks , I am trying to read salesforce data and want to some transformation and then UPSERT operation . But my basic step is to first to connect Salesforce with AWS GLUE. For POC I created trail account of Salesforce and AWS .

Below is my code import boto3 import jwt import time import requests

Salesforce details

CLIENT_ID = '**************' USERNAME = '*************@force.com' LOGIN_URL = 'https://site-java-9**4.my.salesforce.com' S3_BUCKET = 'salesforce-prive-key' # Replace with actual bucket name S3_KEY = "private_key.pem" # Full S3 key (path in bucket) LOCAL_KEY_PATH = '/tmp/private.pem' # Glue allows writing to /tmp

Step 1: Download from S3 to /tmp

s3 = boto3.client('s3') s3.download_file(S3_BUCKET, S3_KEY, LOCAL_KEY_PATH)

Step 2: Create JWT

issued_at = int(time.time()) expiry = issued_at + 300

payload = { 'iss': CLIENT_ID, 'sub': USERNAME, 'aud': LOGIN_URL, 'exp': expiry }

with open(LOCAL_KEY_PATH, 'r') as key_file: private_key = key_file.read()

headers = { "alg": "RS256", "typ": "JWT" }

encoded_jwt = jwt.encode(payload, private_key, algorithm='RS256', headers=headers)

Step 3: Get token from Salesforce

response = requests.post(f'{LOGIN_URL}/services/oauth2/token', data={ 'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer', 'assertion': encoded_jwt })

print("Status Code:", response.status_code) print("Response Text:", response.text)

Error I am getting is Status Code: 400 Response Text: { "error": "invalid_client", "error_description": "invalid client credentials" }

I have generated private_key.pem which is uploaded in s3 and fetching here in aws glue then public signed key is uploaded in salesforce and have configured all necessary steps in salesforce and creating a connected App , enabling Outh permission , added necessary policies. Can any one please guide to do this integration or where I am missing some step and also please provide me a easy way to check this connection in Postman. I was successfully able to connect salesforce with Appflow. I am using admin account of Salesforce to connect both with appflow and Glue.

any blog, suggestions, screenshot will be great to share .

Thanks

Topics
Analytics
Tags
AWS Glue
Language
English
asked a year ago388 views
1 Answer
0

To integrate AWS Glue with Salesforce using the JWT bearer token flow, you need to follow these steps:

  1. First, set up a connected app in your Salesforce instance that enables issuing JWT-based access tokens for users. Refer to Salesforce's documentation on OAuth 2.0 JWT bearer flow for server-to-server integration.

  2. After creating the JWT and configuring the connected app in Salesforce, you need to create a secret in AWS Secrets Manager with the JWT_TOKEN.

  3. In AWS Glue Studio, create a Salesforce connection under Data Connections:

  • Select Salesforce as the connection type
  • Provide your Salesforce INSTANCE_URL
  • Select the OAuth grant type as "JWT Bearer Token"
  • Specify the secret name that contains your JWT token
  • Associate an IAM role with the necessary permissions
  1. Ensure the IAM role associated with your AWS Glue job has permission to read the secret.

Looking at your code and error, the "invalid client credentials" error typically indicates an issue with your JWT configuration. Common problems include:

  • Incorrect CLIENT_ID (should match the Consumer Key from your Salesforce connected app)
  • Issues with the private key format or content
  • Incorrect audience URL (the LOGIN_URL should be the correct Salesforce instance URL)
  • Missing or incorrect permissions in the Salesforce connected app

Instead of writing custom code, you might find it easier to use AWS Glue's built-in Salesforce connector. AWS Glue provides native support for Salesforce as both a source and target for ETL jobs, supporting Salesforce API versions v58.0, v59.0, and v60.0.

To verify your connection in Postman:

  1. Create a new request to your Salesforce instance's token endpoint
  2. Set the request type to POST
  3. Add form-data with grant_type as 'urn:ietf:params:oauth:grant-type:jwt-bearer' and assertion as your encoded JWT
  4. Send the request and check the response for an access token
    Sources
    Set up the JWT bearer OAuth flow for Salesforce - AWS Glue
    Configuring Salesforce connections - AWS Glue
    AWS Glue support for Salesforce - AWS Glue
answered a year ago
AWS
SUPPORT ENGINEER
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content