IAM role for an Amazon Q Business web experience
To allow Amazon Q to access the API operations required to integrate your application environment with IAM Identity Center or deploy your web experience using an external IdP, use the following role policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QBusinessConversationPermission", "Effect": "Allow", "Action": [ "qbusiness:Chat", "qbusiness:ChatSync", "qbusiness:ListMessages", "qbusiness:ListConversations", "qbusiness:DeleteConversation", "qbusiness:PutFeedback", "qbusiness:GetWebExperience", "qbusiness:GetApplication", "qbusiness:ListPlugins", "qbusiness:GetChatControlsConfiguration" ], "Resource": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}" }, { "Sid": "QBusinessKMSDecryptPermissions", "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]" ], "Condition": { "StringLike": { "kms:ViaService": [ "qbusiness.{{region}}.amazonaws.com" ] } } }, { "Sid": "QBusinessSetContextPermissions", "Effect": "Allow", "Action": [ "sts:SetContext" ], "Resource": [ "arn:aws:sts::*:self" ], "Condition": { "StringLike": { "aws:CalledViaLast": [ "qbusiness.amazonaws.com" ] } } } ] }
To allow Amazon Q to assume a role, use the following trust policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QBusinessTrustPolicy", "Effect": "Allow", "Principal": { "Service": "application.qbusiness.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:SetContext" ], "Condition": { "StringEquals": { "aws:SourceAccount": "{{source_account}}" }, "ArnEquals": { "aws:SourceArn":"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}" } } } ] }
For your users of the deployed web experience to create lightweight, purpose-built Amazon Q Apps within a broader application environment, you must include these permissions to call the necessary Amazon Q Apps-related APIs in the backend. You don't call or use the APIs directly. These APIs are included in the example IAM role for the deployed web experience.
Note
Amazon Q Apps is in preview release and is subject to change, including the APIs called in the backend.
If you're using Amazon Q Apps, your web experience IAM role needs the following additional permissions:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QBusinessQAppsPermissions", "Effect": "Allow", "Action": [ "qapps:CreateQApp", "qapps:PredictProblemStatementFromConversation", "qapps:PredictQAppFromProblemStatement", "qapps:CopyQApp", "qapps:GetQApp", "qapps:ListQApps", "qapps:UpdateQApp", "qapps:DeleteQApp", "qapps:AssociateQAppWithUser", "qapps:DisassociateQAppFromUser", "qapps:ImportDocumentToQApp", "qapps:ImportDocumentToQAppSession", "qapps:CreateLibraryItem", "qapps:GetLibraryItem", "qapps:UpdateLibraryItem", "qapps:CreateLibraryItemReview", "qapps:ListLibraryItems", "qapps:CreateSubscriptionToken", "qapps:StartQAppSession", "qapps:StopQAppSession" ], "Resource": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}" }, { "Sid": "QBusinessKMSDecryptPermissions", "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]" ], "Condition": { "StringLike": { "kms:ViaService": [ "qbusiness.{{region}}.amazonaws.com", "qapps.{{region}}.amazonaws.com" ] } } }, { "Sid": "QBusinessSetContextPermissions", "Effect": "Allow", "Action": [ "sts:SetContext" ], "Resource": [ "arn:aws:sts::*:self" ], "Condition": { "StringLike": { "aws:CalledViaLast": [ "qbusiness.amazonaws.com", "qapps.amazonaws.com" ] } } } ] }
The IAM role allows web experience users to do the following when it calls the Q Apps-related APIs in the backend:
Amazon Q Apps
-
Create a Q App
-
Get the status and other information on an Q App
-
Update an Q App
-
List all created Q Apps
-
Delete an Q App
-
Copy an existing Q App to create a new version of the app;
-
Start a session when chat interface or Q App opens
-
Stop a session when chat interface or Q App closes
-
Subscribe to a topic for the Q App
-
Upload files to an Q App session
-
Convert a conversation into a text string problem statement
-
Convert a problem statement into a proposed Q App
Q Apps library
-
Create an item for an Q App to add to the library
-
Get the status and other information on an item in the library
-
Update an item in the library
-
List all items in the library
-
Delete an item in the library
-
Rate an item in the library
If any of the permissions are removed, then you run the risk of your web experience users not being able to create and run their own Q Apps.
