I'm working on a AWS serverless app that will need to query SalesForce from AWS Lambdas to receive it's data and I'm struggling with how to authorize my Lambdas to talk to SalesForce.
Most of my research suggested that I should be using AWS VPC and Private Link to connect the two, but I can't find any details on what sort of VPC I should use.
For instance Scenario 2 of this article https://aws.amazon.com/blogs/apn/connecting-aws-and-salesforce-enables-enterprises-to-do-more-with-customer-data/ seems to be describing exactly what I want to do but is very vague on the details.
So far I've tried to set up a VPC using com.amazonaws.us-east-1.events for the service (I'm not sure if this is the correct service, but it make the most sense to me from the options I was given when trying to create a service) and I was able to use this service to create an endpoint.
I'm also sure where to enter the SalesForce authorization information. And I would assume I need to do something on the SalesForce's end like create a Connected App.
Am I on the right track here? Or should I just be trying to get an OAuth2 token from SalesForce that my Lambdas will use to connect? Or do I need to do both?
EDIT: So it turns out VPC was not the way to go since this is a serverless app. It's possible it might work wonders if I had an EC2 instance but I don't. I just wasn't hitting the authorization endpoint correctly.
Best Answer
Disclaimer: I'm not at all familiar with Amazon's cloud offerings (other than the pricing model being very convoluted)
As far as the Salesforce side of the equation is concerned, you're on the right track. You'll need to create your own connected app with the permissions (also called OAuth scopes) indicated in that article:
Perform requests on your behalf, Access your basic information, and Access and manage your data.
After you create the connected app in Salesforce, you'll have access to the pieces of information that your VPC endpoint requires, namely the consumer key and consumer secret. To (try to) be clear, the thing that requires the information from your connected app is the VPC endpoint on the Amazon side of things.
The VPC endpoint from your linked article is the thing that does the heavy lifting for OAuth (things like constructing the OAuth request, storing the resulting access token, sending that access token in subsequent requests, and managing the refresh token). You shouldn't need to perform any of the steps in any of the OAuth flows yourself, and it sounds like following your linked article should mean that Amazon takes care of wiring your lambda and endpoint together.