Salesforce

On any machine with OpenSSL:

openssl genrsa -out salesforce.key 2048
openssl req -new -x509 -days 36500 -key salesforce.key -out salesforce.crt -subj "/CN=ingest"

Keep salesforce.key private. Upload salesforce.crt to Salesforce in the next step.

1. In Salesforce, go to Setup → App Manager → New Connected App.
2. Fill in Connected App Name, API Name, and Contact Email.
3. Check Enable OAuth Settings.
4. Set the Callback URL to https://login.salesforce.com/services/oauth2/success (it isn't used in the JWT flow but is required by Salesforce).
5. Check Use digital signatures and upload the salesforce.crt file from step 1.
6. Selected OAuth scopes: Manage user data via APIs (api), Perform requests at any time (refresh_token, offline_access).
7. Click Save, then Continue.
8. After save, copy the Consumer Key (also called Client ID).

The JWT flow requires the connected app to be pre-authorized for the integration user:

1. Setup → Manage Connected Apps → Edit the app you just created.
2. Set Permitted Users to Admin approved users are pre-authorized. Save.
3. Add the integration user (or a profile / permission set the user has) to the connected app.

1. Setup → My Domain. Copy the Current My Domain URL without the https:// and trailing slash — e.g. acme.my.salesforce.com. This is the salesforce_instance_url value the connector needs at runtime.

In the Ingest UI under Connectors → Salesforce, fill in:

• Salesforce instance URL — the my-domain host from step 4 (e.g. acme.my.salesforce.com).
• Consumer Key — from step 2 (stored in AWS Secrets Manager as consumer_key).
• Private Key — the contents of salesforce.key, including the -----BEGIN PRIVATE KEY----- lines (stored as private_key).
• Username — the Salesforce username of the integration user Ingest should run as (stored as username).

Salesforce enforces a per-org daily API request limit that depends on your Edition and licensed user count — Enterprise typically gets 100,000+ calls/day; Professional Edition is 1,000 calls/day per org. The Ingest runtime dispatches at 2 req/sec by default and uses AIMD backoff on 429s. Errors with status 401 (bad/expired token, missing pre-authorization) and 403 (scope missing or feature not licensed) are treated as fatal — fix the cause before retrying.

Pagination is nextRecordsUrl-based: every 2,000 records, the response carries a fully-qualified follow-up URL the runtime calls until the result set is exhausted.

The connector uses SOQL queries internally — every endpoint is the same /services/data/v60.0/query URL with a different SOQL body. Most customers want:

• CRM core: account, contact, lead, opportunity, case
• Opportunity detail: opportunity_line_item, opportunity_contact_role, opportunity_history
• Sales catalog: product, pricebook, pricebook_entry, contract, quote, quote_line_item, sales_order, order_item
• Marketing: campaign, campaign_member
• Activity: task, event
• People & permissions: user, user_role, profile, permission_set, permission_set_assignment, field_permissions, object_permissions, record_type
• Asset / org metadata: asset, organization