AWS Partner Network (APN) Blog

How to Resolve Customer Issues Faster with Salesforce Connect and Amazon RDS Integration

By Ross Belmont, Director, Product Management – Salesforce
By Annabelle Wang, Associate Product Management Intern – Salesforce
By Kishore Dhamodaran, Sr. Solutions Architect – AWS
By Ajit Mungale and Shitij Agarwal, Sr. Partner Solutions Architects – AWS


Over the past several years, Salesforce and Amazon Web Services (AWS) have been working together to make each platform even more interoperable.

The new products and expanded functionality are intended to save developers time and effort, reducing the need to write custom integration code to deliver modern, omnichannel customer experiences.

Thousands of organizations rely on Salesforce to manage their customer relationships, though they may store related data in a variety of heterogeneous external systems. Organizations use AWS for the variety of data stores like Amazon DynamoDB and Amazon Simple Storage Service (Amazon S3), which provide scalability, performance, and security.

Amazon Relational Database Service (Amazon RDS) is another data store that makes it simple for users to set up, operate, and scale databases in the cloud.

Here arises a common user challenge, however. Say you’re a customer service representative resolving issues at your organization through Salesforce. A customer calls to report a missing item in their order, so you open a new case, but the order information isn’t in Salesforce. You’ll need to reach into Amazon RDS to find order information related to this customer. This disconnected experience can be error-prone and result in longer case resolution time.

This process can be streamlined so the order information is surfaced within Salesforce, without having to directly access the RDS database. With the Salesforce Connect Adapter for GraphQL on AWS, agents can view information about the customer in one place and address issues more efficiently. This adapter enables Salesforce users to access data stored in RDS in a zero-copy manner, but use the data as if it were persisted in Salesforce.

This is made possible via AWS AppSync, which hosts GraphQL-compatible API endpoints leveraged by Salesforce Connect. In this post, we’ll show you how to build an integration between Salesforce and Amazon RDS using the Salesforce Connect Adapter for GraphQL.

Salesforce is an AWS Partner and global leader in customer relationship management (CRM). Salesforce is a company that makes cloud-based software designed to help businesses find more prospects, close more deals, and wow customers with amazing service.

Customer Service with Data in AWS

The following diagram illustrates how Salesforce Connect works in conjunction AWS AppSync and other AWS services to access the database table in Amazon RDS, fetching data that will be surfaced as external objects in Salesforce. External objects are similar to custom objects on the Salesforce platform, except the data is accessed via real-time API calls—instead of being copied and persisted.


Figure 1 – Salesforce Connect adapter for GraphQL architecture.

The use case featured in this post empowers customer service agents working in Salesforce, solving for the need to access order fulfillment data stored in AWS.

Getting Started

Deploy AWS services using the Salesforce Connect Adapter for GraphQL on AWS. Partner Solutions are automated reference deployments built by AWS and AWS Partners, and they help you deploy popular technologies according to AWS best practices.

Here, you’ll need a Salesforce org with a license for Salesforce Connect. A great way to get started is to get a developer edition Salesforce org from Trailhead. You’ll also need an AWS account with privileges to create AWS Identity and Access Management (IAM) roles and policies.

Test Your AWS Deployment

After successful deployment of AWS services using the Partner Solution, you can follow the test steps outlined in the solution to validate your deployment. We have provided additional guidance to help with the testing.

You can test API key authentication for the AWS AppSync endpoint by simulating a Salesforce HTTP call. The API key required for authentication is located in AppSync Settings under Configuration. You can execute a query in AWS CloudShell, in Postman, or from the command line interface (CLI) on your local machine.

The following query uses the curl command. Don’t forget to change it to add your API key and the AWS AppSync endpoint.

curl -XPOST -H "Content-Type:application/graphql" -H "x-api-key:YOUR-API-key" -d '{ "query": "query MyQuery {graphqlsample_MyOrder(where: {OrderId: {eq: \"ORD-100\"}}) {edges {node {OrderDate SourceIpAddress CustomerId Status TotalCost}}}}" }' https://YOUR-APPSYNC-ENDPOINT/graphql

The following image shows the output you should expect once you execute the query in AWS CloudShell.


Figure 2 – Output of AWS AppSync API query.

Configure Salesforce Authentication

Salesforce needs to access the AWS server resources created in the steps above, acting as a client application calling out via HTTPS. This is managed by Salesforce’s named credential capability, which combines the definition of a remote endpoint along with the authentication needed to call that API successfully.

An external credential captures the authentication details, and a named credential specifies the target endpoint. The named credential holds a reference to the external credential so the callout subsystem knows what authentication to use for the endpoint in question.

You’ll create an external credential to specify an authentication protocol. In order for External Services to authenticate, create a named credential and specify it as the callout endpoint. Since Salesforce is secure by default, any user that uses this credential to make a callout needs permission to do so. This is managed by permission sets which you’ll create last.

These steps are outlined in the AWS deployment guide, under Salesforce configuration tutorial. Below, we’ll walk you through each step of the configuration with more detail and screenshots.

You may recall the AWS AppSync endpoint is protected by an API key. External credentials capture the authentication configuration, so follow these steps to set up the API key for authenticating into AWS.

  • In Salesforce, navigate to Setup > Named Credentials, and click the External Credentials subtab.
  • Click New.
  • Provide API Key Auth for AppSync as the Label and APIKeyAuthForAppSync as the developer Name. Make note of the developer Name you assign for a later step.
  • Select Custom for the Authentication Protocol.
  • Click Save.

Now that the external credential is created, you’ll store the API key securely.

  • Under Principals, click New.
  • Provide Access External Systems as the Parameter Name.
  • Under Authentication Parameters, click Add.
  • Use APIKey as the Name, and paste in the API key from AWS AppSync into the Value field.
  • Click Save.


Figure 3 – Storing API key securely in Salesforce.

You have now stored the API key in an encrypted manner. The last step for the external credential setup is to configure the HTTP header that AWS AppSync expects to contain the API key.

  • Under Custom Headers, click New.
  • Provide x-api-key as the Name. This will be the header name in the actual HTTP callout.
  • Provide the formula {!$Credential.APIKeyAuthForAppSync.APIKey} as the Value. This merge field syntax allows you to reference the API key and avoid hard-coding the secret value in clear text, for greater security.
  • Click Save.


Figure 4 – Set Custom Header with API key.

With the external credential defined, you’ll capture the AWS AppSync endpoint as a named credential.

  • Navigate to Setup > Named Credentials, and click the Named Credentials subtab.
  • Click New.
  • Provide AppSync API as the Label and AppSyncAPI as the developer Name. Paste the AWS AppSync API endpoint under URL.
  • Select the External Credential created in the prior step: API Key Auth for AppSync.
  • Check the checkbox to Allow Formulas in HTTP Header. This ensures the formula referencing the API key will be resolved correctly, and not interpreted as literal text.
  • Click Save.


Figure 5 – Setting the AppSync API endpoint.

Once the named credential is created, you’ll protect the API key by selecting a permission set so that access to the secret is granted explicitly by the set. Create a new permission set and assign access to your desired profiles after creation.

  • Navigate to Setup > Permission Sets.
  • Click New.
  • Provide Access External Systems as the Label, and press “tab” to generate an API Name.
  • Click Save.
  • Click Manage Assignments, and then Add Assignment to assign this permission set to your user.
  • Under Apps, choose External Credential Principal Access.
  • Choose Edit.
  • Under Available External Credential Principals, choose APIKeyForAppSync – Access External Systems and Add it so it appears under Enabled External Credential Principals.
  • Click Save.

Configure an External Data Source in Salesforce

Salesforce Connect uses external data sources to access data in AWS. External data sources have associated external objects, which users use to interact with the external data and content.

In Salesforce Setup, configure an external data source of type GraphQL and connect it to your named credential. Remember to click Validate and Sync to confirm the connection was successful.

  • Navigate to Setup > External Data Sources.
  • Choose New External Data Source.
  • Provide GraphQL RDS External Source as the External Data Source. The Name will auto-populate.
  • Choose GraphQL as the Type.
  • Under Parameters, choose AppSync API as the Named Credential.
  • Set the Writable External Objects option.
  • Choose Save.

From the resulting success page, select Amazon RDS tables and click Sync to automatically create a Salesforce external object and custom field for each table column that’s compatible with a Salesforce metadata field type.

  • Choose Validate and Sync.
  • Provide values for External Object Name, Label, and Plural Label.
  • Check the options under Select.
  • Choose Sync.


Figure 6 – Map Salesforce custom objects to Amazon RDS.

Modify your external object’s custom fields and relationships, page layouts, field sets, search layouts, buttons, and links to your liking. Remember to configure a unique identifier (external ID) for each custom object. Learn more about modifying and configuring external objects.

Once your external objects are created, it’s likely you’ll want to relate the external data to records in Salesforce. Standard “foreign key” lookups are an option but requires the external tables to store Salesforce IDs. A more flexible option is to create an indirect lookup between your desired external object and a standard object, which establishes the relationship based on a shared, matching value found in both systems.

In this example, a Customer ID field in the Order table identifies the customer; as long as this value is somewhere on the Account record, Salesforce can successfully establish the relationship between the external object and a standard (or custom) object. The steps below describe how to create such a relationship.

  • Navigate to Setup > External Objects > Select your desired external object (Orders for our example).
  • Create a new relationship under Fields and Relationships to the Account object.
  • Select Indirect Lookup Relationship as the data type.
  • For the Related To value, select Account.
  • For the Target Field value, select Customer_ID__c. This field should be created in the Account object, and make sure to make the field as Unique and External ID checkboxes.
  • Enter 18 as the field length. Fill in the Field Label, Field Name, and External Column Name.
  • Choose which profiles you want to make Orders visible to and provide the Related List Label for how you want this list to appear in layouts.
  • Choose Save.

A new related list Orders should now be added to the Account page layouts. Learn more about configuring page layouts.


Figure 7 – Create an indirect lookup relationship in Salesforce.

View Data from Amazon RDS in Salesforce

Once AWS services have been deployed and the Salesforce configuration is complete, you can surface order data from Amazon RDS in Salesforce. With data from Salesforce and AWS in one place, the customer service agent can resolve customer issues faster.


Figure 8 – Salesforce customer record with Order data stored in RDS.


In this post, you learned how to leverage data stored in Amazon RDS from within Salesforce (without copying the records themselves) using AWS AppSync and Salesforce Connect. This zero-copy approach helps manage costs and avoid hassles in compliance, while still enabling Salesforce users with the data they need to deliver great service to your customers.

You used Salesforce Connect Adapter for GraphQL on AWS to deploy AWS services and to configure Salesforce.

AWS AppSync and Amazon RDS can be enabled at any time, and you’ll only pay for what you use. To learn more about Salesforce Connect, you’ll find great resources on Trailhead. When you’re ready, contact your Salesforce account representative about licensing for Salesforce Connect.