S3-to-Salesforce Data Cloud Ingest

An event-driven AWS SAM application that provisions an S3 bucket and a Lambda function to automatically forward PDF uploads to Salesforce Data Cloud's unstructured ingest endpoint. The Lambda filters S3 events by bucket, key prefix, and file extension, then authenticates to Salesforce using an OAuth 2.0 client credentials flow with a secondary token exchange for the Data Cloud API. All credentials and configuration are stored in AWS Systems Manager Parameter Store, and the stack is fully parameterized for deployment to any AWS account or region.

Key Achievements

• Event-driven ingest pipeline: Configured S3 ObjectCreated event notifications to trigger a Lambda function that filters for matching PDFs by bucket, key prefix, and file extension before forwarding to downstream APIs.
• Multi-step Salesforce authentication: Implemented a two-stage OAuth 2.0 flow — client credentials grant for a core Salesforce token, followed by a token exchange for a Data Cloud-scoped token — to securely call the unstructured ingest endpoint.
• Secure credential management: Stored Salesforce consumer keys, secrets, and configuration in SSM Parameter Store with KMS decryption, keeping secrets out of code and environment variables.
• Portable infrastructure as code: Parameterized the SAM template with AWS pseudo parameters (AccountId, Region) and stack-name-scoped SSM paths, enabling repeatable deployment to any AWS account or region without hardcoded values.