To successfully connect Amazon Q Business to a plugin, you need to give Amazon Q Business the following permissions using a service access role:
-
Permission to access your Secrets Manager secret to get the credentials you use to log in to the third party service instance you are creating a plugin for.
-
(Optional) Permission to access the customer managed AWS KMS key used to encrypt the content of your Secrets Manager secret.
Amazon Q Business assumes this role to access your third party service instance credentials.
If you use the console and choose to create a new IAM role, Amazon Q creates the IAM role for you. If you use the console and choose to use an existing secret, or you use the API, make sure your secret contains the following permissions.
Important
If you're changing response settings for an Amazon Q Business application created and deployed before 16 April, 2024, you need to update your web experience service role. For information on service role permissions needed, see IAM role for an Amazon Q Business web experience. For information on how to update your web experience service role, see Updating a web experience.
The following is the service access IAM role required:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowQBusinessToGetSecretValue",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
}
]
}To allow Amazon Q Business to assume a role, use the following trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "QBusinessApplicationTrustPolicy",
"Effect": "Allow",
"Principal": {
"Service": "qbusiness.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{source_account}}"
},
"ArnLike": {
"aws:SourceArn":"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}"
}
}
}
]
}