Configuring a Jira Cloud plugin for Amazon Q Business
Jira Cloud is a project management tool that creates issues (tickets) for software development, product management, and bug tracking. If you’re a Jira Cloud user, you can create an Amazon Q Business plugin to allow your end users to perform the following actions from within their web experience chat:
-
Read issues
-
Create issues
-
Search issues
-
Change issue status
-
Delete issue
-
Read sprint
-
Move issue to sprint
-
Create sprint
-
Delete sprint
To create a Jira Cloud plugin, you need configuration information from your Jira Cloud instance to set up a connection between Amazon Q and Jira Cloud and allow Amazon Q to perform actions in Jira Cloud.
For more information on how to use plugins during your web experience chat, see Using plugins.
Prerequisites
Before you configure your Amazon Q Jira Cloud plugin, you must do the following:
-
As an admin, create a new OAuth 2.0 Jira Cloud app in the Jira Cloud developer console with scoped permissions for performing actions in Amazon Q. To learn how to do this, see OAuth 2.0 (3LO) apps
in Jira Cloud Developer Documentation. -
Make sure sharing is enabled and the following required scopes are added:
-
read:jira-work -
write:jira-work -
manage:jira-project -
read:sprint:jira-software -
write:sprint:jira-software -
delete:sprint:jira-software -
read:board-scope:jira-software -
read:project:jira
-
-
Note the domain URL of your Jira Cloud instance. For example:
https://api.atlassian.com/ex/jira/. To learn how to find your instance ID (Cloud Site ID), go to How to find Cloud Site IdyourInstanceIdin Jira Software Support. -
Note your:
-
Access token URL – For Jira Cloud OAuth applications, this is
https://auth.atlassian.com/oauth/token. -
Authorization URL – For Jira Cloud OAuth applications, this is
https://auth.atlassian.com/authorize. -
Redirect URL – The URL to which user needs to be redirected after authentication. If your deployed web url is
<q-endpoint>, use<q-endpoint>/oauth/callback. Amazon Q Business will handle OAuth tokens in this URL. This callback URL needs to be allowlisted in your third-party application. -
Client ID – The client ID generated when you create your OAuth 2.0 application in Jira Cloud.
-
Client secret – The client secret generated when you create your OAuth 2.0 application in Jira Cloud.
You will need this authentication information during the plugin configuration process.
-
Service access roles
To successfully connect Amazon Q to Jira Cloud, you need to give Amazon Q the following permission to access your Secrets Manager secret to get your Jira Cloud credentials. Amazon Q assumes this role to access your Jira Cloud credentials.
The following is the service access IAM role required:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": [ "arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]" ] } ] }
To allow Amazon Q to assume a role, use the following trust policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QBusinessApplicationTrustPolicy", "Effect": "Allow", "Principal": { "Service": "qbusiness.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "{{source_account}}" }, "ArnLike": { "aws:SourceArn":"arn:aws:qbusiness:{{your-region}}:{{source_account}}:application/{{application_id}}" } } } ] }
If you use the console and choose to create a new IAM role, Amazon Q creates the role for you. If you use the console and choose to use an existing secret, or you use the API, make sure your IAM role contains these permissions.
Creating a plugin
To create a Jira Cloud plugin for your web experience chat, you can use the AWS Management Console or the CreatePlugin API operation. The following tabs provide a procedure for creating a Jira Cloud plugin using the console and code examples for the AWS CLI.
