Getting started with GitLab Duo with Amazon Q - Amazon Q Developer
PrerequisitesStep 1: Create an IAM identity provider and IAM roleStep 2: Set up GitLab Duo with Amazon Q

Getting started with GitLab Duo with Amazon Q

Note

GitLab Duo with Amazon Q is in preview release and is subject to change.

GitLab Duo with Amazon Q provides a suite of artificial intelligence (AI) experiences, such as proposed code implementation for your idea, iterate your code on feedback, transform your code to Java 17, review merge requests for deficiencies, and suggested unit tests for those issues. You can get started with a self-managed GitLab instance and an GitLab Ultimate subscription that's synchronized with GitLab. You also need to create an IAM identity provider and IAM role. For more information, see Identity providers and federation.

GitLab Duo with Amazon Q preview is available in the gitlab-duo-with-amazon-q-preview branch of the public GitLab repository. To learn more about GitLab's canonical source and collaborating on code, see the GitLab README.

Prerequisites

Before you begin, you need the following:

Step 1: Create an IAM identity provider and IAM role

Before you begin, you need an IAM identity provider, a system that creates, stores, and manages digital identities. For GitLab, you use IAM to access AWS resources, including IAM roles in your AWS account. For more information, see Identity providers and federation.

To create an IAM identity provider

  1. Open the AWS Identity and Access Management (IAM) console.

  2. In the navigation pane, choose Access management, and then choose Identity providers.

  3. Choose Add provider.

  4. For Provider type, choose OpenID Connect.

  5. Obtain the GitLab UUID used for the ProviderId URL and Audience.

    1. Navigate to your GitLab workspace.

    2. In the navigation pane, choose Settings, and then choose General.

    3. Copy the GitLab UUID value needed for the Issuer URL and Audience.

  6. In the ProviderId URL text input field, enter https://auth.token.gitlab.com/cc/oidc/GitLab UUID.

  7. In the Audience text input field, enter the gitlab-cc-GitLab UUID.

  8. Choose Add provider to create an identity provider.

After creating the IAM identity provider, you need to create an IAM role that trusts the identity provider and can access Amazon Q.

To create an IAM role

  1. In the navigation pane, choose Roles, and then choose Create role.

  2. For Trusted entity type, choose Web identity.

  3. From the Identity provider dropdown menu, choose https://auth.token.gitlab.com/cc/oidc/GitLab UUID, which is the identity provider you created.

  4. From the Audience dropdown menu, choose gitlab-cc-GitLab UUID, which was created when creating an identity provider.

  5. Choose Next to view permissions policies to add to your new role. You'll need to create a permissions policy at the a later time. Without selecting any policies, choose Next.

  6. Under Role details, in the Role name text input field, enter a name to identify the role (for example, QDeveloperAccess).

  7. (Optional) In the Description text input field, enter an explanation for the role.

  8. In the Trust policy text input field, ensure that the trust policy looks similar to the following:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Principal": {
                "Federated": "arn:aws:iam::ACCOUNT_ID:oidc-provider/auth.token.gitlab.com/cc/oidc/GitLab UUID"
            },
            "Condition": {
                "StringEquals": {
                    "auth.token.gitlab.com/cc/oidc/GitLab UUID": "gitlab-cc-GitLab UUID"
                },

            }
        }
    ]
}

  9. Choose Create role to complete creating an IAM role.

  10. After creating the IAM role, configure the role's session time. The AssumeRoleWithWebIdentity policy fails in the AI Gateway if the session isn't set to 12 hours or more.

    1. In the Roles search field, enter the name of the IAM role you created (for example, QDeveloperAccess), and then choose the role name.

    2. In Summary, choose Edit to edit the session duration.

    3. Choose the Maximum session duration dropdown menu, and then choose 12 hours.

    4. Choose Save changes to save the change to the session duration time.

After creating an IAM role, you need to provide permissions to allow the role to access Amazon Q in GitLab Duo.

To configure an IAM role's access to Amazon Q

  1. In the search field, enter the name of the role you created (for example, QDeveloperAccess), and then choose the role name.

  2. Choose the Add permissions dropdown menu, and then choose Create inline policy.

  3. For the Policy editor, choose the JSON tab, and then copy and paste the following into the editor:

    {
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "GitLabDuoQPermissions",
			"Effect": "Allow",
			"Action": [
				"q:SendEvent",
				"q:CreateOAuthAppConnection",
				"q:CreateAuthGrant",
				"q:UpdateAuthGrant",
				"q:UpdateOAuthAppConnection"
			],
			"Resource": "*"
		}
	]
}

  4. Choose the Actions dropdown menu, and then choose Optimize for readability to make text into AWS format and parse the JSON.

  5. Choose Next.

  6. Under Policy details, in the Policy name text input field, enter gitlab-duo-amazon-q-policy, and then choose Create policy.

After creating the IAM identity provider and IAM role needed to access Amazon Q, you can set up Amazon Q in GitLab.

Step 2: Set up GitLab Duo with Amazon Q

Before using GitLab quick actions to perform tasks, such as creating merge requests, adding test coverage, and reviewing code for security and quality purposes, you need to configure GitLab settings to enable Amazon Q.

To configure GitLab Duo with Amazon Q

  1. Navigate to your GitLab organization's Admin area, choose Settings, and then choose General.

  2. For GitLab Duo with Amazon Q, choose Expand, and then choose View configuration options to view the configuration page.

  3. Provide the AWS IAM role ARN to GitLab.

    1. Open the AWS Identity and Access Management (IAM) console.

    2. In the navigation pane, choose Access management, and then choose Roles.

    3. In the search field, enter the name of the role you previously created (for example, QDeveloperAccess) in Step 1: Create an IAM identity provider and IAM role.

    4. Choose the IAM role, and under Summary, copy the role's ARN. The ARN should look similar to the following: arn:aws:iam::123456789:role/QDeveloperAccess.

    5. Navigate back to the configuration page of GitLab.

    6. In the IAM role's ARN text input field, paste the IAM role ARN.

  4. (Optional) Determine which groups and projects can use GitLab Duo with Amazon Q. Do one of the following depending on your preference:

    • To turn on GitLab Duo with Amazon Q for the instance, but give groups and projects ability to turn it off, choose On by default.

    • To turn off GitLab Duo with Amazon Q for the instance, but give groups and projects ability to turn it on, choose Off by default.

    • To turn off GitLab Duo with Amazon Q for the instance and prevent groups or projects from turning it on, choose Always off.

  5. Choose Save changes to confirm your configuration when setting up GitLab Duo with Amazon Q.

At any time, you can configure the availability of GitLab Duo with Amazon Q by turning it on or off for your instance, group, or project. For more information, see Turn off GitLab Duo with Amazon Q.

After saving your changes, an API contacts the AI Gateway to create an OAuth application on Amazon Q. Once you set up GitLab Duo with Amazon Q, you can begin using the AI capabilities of Amazon Q in GitLab issues, comments, and merge request comments. However, before you can invoke code transformation, you must have at least one GitLab Runner available for your project that must be customized. For more information, see Customizing a CI/CD pipeline for code transformation. To learn more about how to invoke quick actions in GitLab issues and merge requests, see GitLab Duo with Amazon Q.