IAM role for an Amazon Kendra retriever

When you use an Amazon Kendra index as a retriever, you must provide Amazon Q Business with an IAM role with permissions to access Amazon Kendra. You must also provide a trust policy that allows Amazon Q to assume the role. The following are the policies that must be provided.

To allow Amazon Q to access a CloudWatch log, use the following policy:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "KendraRetrieveAccess",
            "Effect": "Allow",
            "Action": [
                "kendra:Retrieve",
                "kendra:DescribeIndex"

            ],
            "Resource": "arn:aws:kendra:{{region}}:{{source_account}}:index/{{indexId}}"
        }
    ]
}

To allow Amazon Q to assume a role, use the following trust policy:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AmazonQKendraAccessPermission",
      "Effect": "Allow",
      "Principal": {
        "Service": "qbusiness.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "{{source_account}}"
        },
      "ArnEquals": {
        "aws:SourceArn":"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{applicationId}}"
      }
      }
    }
  ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

IAM roles for custom document enrichment

Creating a sample application