IAM role for an Amazon Q Business web experience using IAM Federation
Important
This page only applies to Amazon Q Business web experiences connected to IAM Federated Amazon Q Business applications.
Policy history
-
Latest policy update: — December 3, 2024
The following table list and describes the changes to this policy over time.
| Change | Description | Date |
|---|---|---|
Amazon Q Business plugin actions support |
To allow Amazon Q Business to list plugin actions and to
allow end users to discover plugins in their web experience, modify
the existing Web experience IAM role by adding
the following permissions: With this change, Amazon Q Business can list plugin actions and web experience users can discover plugins in their web experience. For more information, see Prerequisites for configuring Amazon Q Business built-in plugins. |
12/03/2024 |
Embedded visual content support |
To enable extracting semantic meaning from embedded visual
content, modify the existing Web experience IAM
role by adding the permission
With this change, if you enable content extraction for a data source, web experience users can ask questions and get answers related to the images. When an end user asks a question, Amazon Q Business retrieves relevant answers from the text and the images. Answers include the images and links for the documents that contain them. For more information, see Extracting semantic meaning from embedded visual content with Amazon Q Business. |
12/01/2024 |
Recent files support |
To enable recent files support on web experiences, modify the
existing Web experience IAM role by adding the
permission With this change, users can find and reuse any recently attached files in new conversations without uploading the files again. Additionally, users can now drag and drop files they want to upload directly into any conversation inside their Amazon Q web experience. |
11/21/2024 |
Note
To find the policy for your web experience you can go to Amazon Q Business → Applications → choose your application Name → Web experience settings in the Amazon Q Business console.
The following IAM policies allow you to invoke the API operations required for an application environment using Identity Federation through IAM (IAM Federation) to manage user access or deploy a web experience using an external IdP.
Note
You must create and update an IAM policy for your Amazon Q Business application (both console and API) before you begin creating it. Amazon Q Business doesn't auto-create IAM roles for your IAM Federation application if you use the console.
To allow an Amazon Q Business web experience to invoke the API operations required to integrate your application environment and deploy your web experience with an AWS Identity and Access Management instance, use the following policy:
{ "Version": "2012-10-17", "Statement": [{ "Sid": "QBusinessConversationPermissions", "Effect": "Allow", "Action": [ "qbusiness:Chat", "qbusiness:ChatSync", "qbusiness:ListMessages", "qbusiness:ListConversations", "qbusiness:PutFeedback", "qbusiness:DeleteConversation", "qbusiness:GetWebExperience", "qbusiness:GetApplication", "qbusiness:ListPlugins", "qbusiness:GetChatControlsConfiguration", "qbusiness:ListRetrievers" "qbusiness:ListPluginActions", "qbusiness:ListAttachments", "qbusiness:GetMedia" ], "Resource": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}" }, { "Sid": "QBusinessPluginDiscoveryPermissions", "Effect": "Allow", "Action": [ "qbusiness:ListPluginTypeMetadata", "qbusiness:ListPluginTypeActions" ], "Resource": "*" }, { "Sid": "QBusinessRetrieverPermission", "Effect": "Allow", "Action": [ "qbusiness:GetRetriever" ], "Resource": [ "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}", "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/retriever/*" ] }, { "Sid": "QBusinessAutoSubscriptionPermission", "Effect": "Allow", "Action": [ "user-subscriptions:CreateClaim" ], "Condition": { "Bool": { "user-subscriptions:CreateForSelf": "true" }, "StringEquals": { "aws:CalledViaLast": "qbusiness.amazonaws.com" } }, "Resource": [ "*" ] }, { "Sid": "QBusinessKMSDecryptPermissions", "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]" ], "Condition": { "StringLike": { "kms:ViaService": [ "qbusiness.{{region}}.amazonaws.com", "qapps.{{region}}.amazonaws.com" ] } } }, { "Sid": "QAppsResourceAgnosticPermissions", "Effect": "Allow", "Action": [ "qapps:CreateQApp", "qapps:PredictQApp", "qapps:PredictProblemStatementFromConversation", "qapps:PredictQAppFromProblemStatement", "qapps:ListQApps", "qapps:ListLibraryItems", "qapps:CreateSubscriptionToken" ], "Resource": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}" }, { "Sid": "QAppsAppUniversalPermissions", "Effect": "Allow", "Action": [ "qapps:DisassociateQAppFromUser" ], "Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*" }, { "Sid": "QAppsAppOwnerPermissions", "Effect": "Allow", "Action": [ "qapps:GetQApp", "qapps:CopyQApp", "qapps:UpdateQApp", "qapps:DeleteQApp", "qapps:ImportDocument", "qapps:ImportDocumentToQApp", "qapps:CreateLibraryItem", "qapps:UpdateLibraryItem", "qapps:StartQAppSession" ], "Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*", "Condition": { "StringEqualsIgnoreCase": { "qapps:UserIsAppOwner": "true" } } }, { "Sid": "QAppsPublishedAppPermissions", "Effect": "Allow", "Action": [ "qapps:GetQApp", "qapps:CopyQApp", "qapps:AssociateQAppWithUser", "qapps:GetLibraryItem", "qapps:CreateLibraryItemReview", "qapps:AssociateLibraryItemReview", "qapps:DisassociateLibraryItemReview", "qapps:StartQAppSession" ], "Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*", "Condition": { "StringEqualsIgnoreCase": { "qapps:AppIsPublished": "true" } } }, { "Sid": "QAppsAppSessionModeratorPermissions", "Effect": "Allow", "Action": [ "qapps:ImportDocument", "qapps:ImportDocumentToQAppSession", "qapps:GetQAppSession", "qapps:GetQAppSessionMetadata", "qapps:UpdateQAppSession", "qapps:UpdateQAppSessionMetadata", "qapps:StopQAppSession" ], "Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*/session/*", "Condition": { "StringEqualsIgnoreCase": { "qapps:UserIsSessionModerator": "true" } } }, { "Sid": "QAppsSharedAppSessionPermissions", "Effect": "Allow", "Action": [ "qapps:ImportDocument", "qapps:ImportDocumentToQAppSession", "qapps:GetQAppSession", "qapps:GetQAppSessionMetadata", "qapps:UpdateQAppSession" ], "Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*/session/*", "Condition": { "StringEqualsIgnoreCase": { "qapps:SessionIsShared": "true" } } } ] }
To allow Amazon Q to assume this role for a web experience using SAML-compliant identity provider for user management, use the following trust policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::{{account_id}}:saml-provider/[[saml_provider]]" }, "Action": "sts:AssumeRoleWithSAML", "Condition": { "StringEquals": { "SAML:aud": "https://q-web-experience-domain/saml" } } }, { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::{{account_id}}:saml-provider/[[saml_provider]]" }, "Action": "sts:TagSession", "Condition": { "StringLike": { "aws:RequestTag/Email": "*" } } } ] }
To allow Amazon Q to assume this role for a web experience using an OIDC-compliant identity provider for user management, use the following trust policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::{{account_id}}:oidc-provider/{{iss}}" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "{{iss}}:aud": "{{clientId}}" } } }, { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::{{account_id}}:oidc-provider/{{iss}}" }, "Action": "sts:TagSession", "Condition": { "StringLike": { "aws:RequestTag/Email": "*" } } } ] }
To allow an Amazon Q Business web experience to access AWS KMS to decrypt an OIDC client secret stored in Secrets Manager for an OIDC-based identity provider:
{ "Version": "2012-10-17", "Statement": [{ "Sid": "AllowsAmazonQToGetSecret", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": [ "arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]" ] }, { "Sid": "AllowsAmazonQToDecryptSecret", "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]" ], "Condition": { "StringLike": { "kms:ViaService": [ "secretsmanager.*.amazonaws.com" ] } } } ] }
To allow Amazon Q to assume the role to decrypt an OIDC client secret stored in Secrets Manager, use the following trust policy:
{ "Version": "2012-10-17", "Statement": [{ "Sid": "AllowsAmazonQToAssumeRoleForServicePrincipal", "Effect": "Allow", "Principal": { "Service": "application.qbusiness.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "{{source_account}}" }, "ArnLike": { "aws:SourceArn": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}" } } }] }
