IAM role for an Amazon Q Business web experience using IAM Identity Center

Important

This page only applies to Amazon Q Business web experiences connected to IAM Identity Center-integrated Amazon Q Business applications.

Policy history

Latest policy update: — December 3, 2024

The following table list and describes the changes to this policy over time.

Change	Description	Date
Amazon Q Business plugin actions support	To allow Amazon Q Business to list plugin actions and to allow end users to discover plugins in their web experience, modify the existing Web experience IAM role by adding the following permissions: `qbusiness:ListPluginActions`, `qbusiness:ListPluginTypeMetadata`, and `qbusiness:ListPluginTypeActions`. The scoping for this new permission should be similar to other `qbusiness:` conversation permissions. With this change, Amazon Q Business can list plugin actions and web experience users can discover plugins in their web experience. For more information, see Prerequisites for configuring Amazon Q Business built-in plugins.	12/03/2024
Amazon QuickSight plugin support	To allow the QuickSight plugin to include visuals from Amazon QuickSight, modify the existing Web experience IAM role to add permission for `quicksight:GenerateEmbedUrlForRegisteredUserWithIdentity`. With this change, web experience users can view visuals from QuickSight. For more information about the QuickSight plugin, see Using the QuickSight plugin to get insights from structured data.	12/03/2024
Embedded visual content support	To enable extracting semantic meaning from embedded visual content, modify the existing Web experience IAM role by adding the permission `qbusiness:GetMedia`. The scoping for this new permission should be similar to other `qbusiness:` conversation permissions. With this change, if you enable content extraction for a data source, web experience users can ask questions and get answers related to the images. When an end user asks a question, Amazon Q Business retrieves relevant answers from the text and the images. Answers include the images and links for the documents that contain them. For more information, see Extracting semantic meaning from embedded visual content with Amazon Q Business.	12/01/2024
Recent files support	To enable recent files support on web experiences, modify the existing Web experience IAM role by adding the permission `qbusiness:ListAttachments`. The scoping for this new permission should be similar to other `qbusiness:` conversation permissions. With this change, users can find and reuse any recently attached files in new conversations without uploading the files again. Additionally, users can now drag and drop files they want to upload directly into any conversation inside their Amazon Q web experience.	11/21/2024

Note

To find the policy for your web experience you can go to Amazon Q Business → Applications → choose your application Name → Web experience settings in the Amazon Q Business console.

The following section lists the IAM policies required to allow you to invoke the API operations required to integrate your application environment with IAM Identity Center.

To allow an Amazon Q Business web experience to invoke the API operations required to integrate your application environment and deploy your web experience with an IAM Identity Center instance, use the following policy:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "QBusinessConversationPermissions",
      "Effect": "Allow",
      "Action": [
        "qbusiness:Chat",
        "qbusiness:ChatSync",
        "qbusiness:ListMessages",
        "qbusiness:ListConversations",
        "qbusiness:PutFeedback",
        "qbusiness:DeleteConversation",
        "qbusiness:GetWebExperience",
        "qbusiness:GetApplication",
        "qbusiness:ListPlugins",
        "qbusiness:ListPluginActions",
        "qbusiness:GetChatControlsConfiguration",
        "qbusiness:ListRetrievers",
        "qbusiness:ListAttachments",
        "qbusiness:GetMedia"
      ],
      "Resource": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}"
    },
    {
      "Sid": "QBusinessPluginDiscoveryPermissions",
      "Effect": "Allow",
      "Action": [
          "qbusiness:ListPluginTypeMetadata",
          "qbusiness:ListPluginTypeActions"
      ],
      "Resource": "*"
    },
    {
      "Sid": "QBusinessRetrieverPermission",
      "Effect": "Allow",
      "Action": ["qbusiness:GetRetriever"],
      "Resource": [
        "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}",
        "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/retriever/*"
      ]
    },
    {
      "Sid": "QAppsResourceAgnosticPermissions",
      "Effect": "Allow",
      "Action": [
        "qapps:CreateQApp",
        "qapps:PredictQApp",
        "qapps:PredictProblemStatementFromConversation",
        "qapps:PredictQAppFromProblemStatement",
        "qapps:ListQApps",
        "qapps:ListLibraryItems",
        "qapps:CreateSubscriptionToken",
        "qapps:ListCategories"
      ],
      "Resource": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}"
    },
    {
      "Sid": "QAppsAppUniversalPermissions",
      "Effect": "Allow",
      "Action": ["qapps:DisassociateQAppFromUser"],
      "Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*"
    },
    {
      "Sid": "QAppsAppOwnerPermissions",
      "Effect": "Allow",
      "Action": [
        "qapps:GetQApp",
        "qapps:CopyQApp",
        "qapps:UpdateQApp",
        "qapps:DeleteQApp",
        "qapps:ImportDocument",
        "qapps:ImportDocumentToQApp",
        "qapps:CreateLibraryItem",
        "qapps:UpdateLibraryItem",
        "qapps:StartQAppSession",
        "qapps:DescribeQAppPermissions",
        "qapps:UpdateQAppPermissions",
        "qapps:CreatePresignedUrl"
      ],
      "Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*",
      "Condition": {
        "StringEqualsIgnoreCase": {
          "qapps:UserIsAppOwner": "true"
        }
      }
    },
    {
      "Sid": "QAppsPublishedAppPermissions",
      "Effect": "Allow",
      "Action": [
        "qapps:GetQApp",
        "qapps:CopyQApp",
        "qapps:AssociateQAppWithUser",
        "qapps:GetLibraryItem",
        "qapps:CreateLibraryItemReview",
        "qapps:AssociateLibraryItemReview",
        "qapps:DisassociateLibraryItemReview",
        "qapps:StartQAppSession",
        "qapps:DescribeQAppPermissions"
      ],
      "Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*",
      "Condition": {
        "StringEqualsIgnoreCase": {
          "qapps:AppIsPublished": "true"
        }
      }
    },
    {
      "Sid": "QAppsAppSessionModeratorPermissions",
      "Effect": "Allow",
      "Action": [
        "qapps:ImportDocument",
        "qapps:ImportDocumentToQAppSession",
        "qapps:GetQAppSession",
        "qapps:GetQAppSessionMetadata",
        "qapps:UpdateQAppSession",
        "qapps:UpdateQAppSessionMetadata",
        "qapps:StopQAppSession",
        "qapps:ListQAppSessionData",
        "qapps:ExportQAppSessionData",
        "qapps:CreatePresignedUrl"
      ],
      "Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*/session/*",
      "Condition": {
        "StringEqualsIgnoreCase": {
          "qapps:UserIsSessionModerator": "true"
        }
      }
    },
    {
      "Sid": "QAppsSharedAppSessionPermissions",
      "Effect": "Allow",
      "Action": [
        "qapps:ImportDocument",
        "qapps:ImportDocumentToQAppSession",
        "qapps:GetQAppSession",
        "qapps:GetQAppSessionMetadata",
        "qapps:UpdateQAppSession",
        "qapps:ListQAppSessionData",
        "qapps:CreatePresignedUrl"
      ],
      "Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*/session/*",
      "Condition": {
        "StringEqualsIgnoreCase": {
          "qapps:SessionIsShared": "true"
        }
      }
    },
    {
      "Sid": "QBusinessToQuickSightGenerateEmbedUrlInvocation",
      "Effect": "Allow",
      "Action": ["quicksight:GenerateEmbedUrlForRegisteredUserWithIdentity"],
      "Resource": "*"
    }
  ]
}

To allow Amazon Q to assume this role, use the following trust policy:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "QBusinessTrustPolicy",
      "Effect": "Allow",
      "Principal": {
        "Service": "application.qbusiness.amazonaws.com"
      },
      "Action": [
        "sts:AssumeRole",
        "sts:SetContext"
      ],
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "{{source_account}}"
        },
        "ArnEquals": {
          "aws:SourceArn":"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}"
        }
      }
    }
  ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Amazon Q Business web experience

IAM Federation web experience