AWS Chatbot is now Amazon Q Developer. Learn more
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use Amazon Q Developer resources. IAM is an AWS service that you can use with no additional charge.
Audience
How you use AWS Identity and Access Management (IAM) differs, depending on the work that you do in Amazon Q Developer.
Service user – If you use the Amazon Q Developer service to do your job, then your administrator provides you with the credentials and permissions that you need. As you use more Amazon Q Developer features to do your work, you might need additional permissions. Understanding how access is managed can help you request the right permissions from your administrator. If you cannot access a feature in Amazon Q Developer, see Troubleshooting Amazon Q Developer in chat applications identity and access.
Service administrator – If you're in charge of Amazon Q Developer resources at your company, you probably have full access to Amazon Q Developer. It's your job to determine which Amazon Q Developer features and resources your service users should access. You must then submit requests to your IAM administrator to change the permissions of your service users. Review the information on this page to understand the basic concepts of IAM. To learn more about how your company can use IAM with Amazon Q Developer, see How Amazon Q Developer in chat applications works with IAM.
IAM administrator – If you're an IAM administrator, you might want to learn details about how you can write policies to manage access to Amazon Q Developer. To view example Amazon Q Developer identity-based policies that you can use in IAM, see Identity-based policies for Amazon Q Developer in chat applications.
How Amazon Q Developer in chat applications works with
IAM
Before you use IAM to manage access to Amazon Q Developer, you should understand which IAM features are available to use with Amazon Q Developer. The following subsections introduce each IAM capability supported by Amazon Q Developer, point you to further information about how to use them, and describe the IAM capabilities that Amazon Q Developer doesn't support. To get a high-level view of how Amazon Q Developer and other AWS services work with IAM, see AWS Services That Work with IAM in the IAM User Guide.
For an overview of IAM and its features, see Understanding How IAM Works in the IAM User Guide.
Topics
Identity-based policies and Amazon Q Developer in chat applications
Amazon Q Developer supports the use of IAM identity-based policies for service usage and management.
An AWS Identity and Access Management (IAM) policy is a document that defines the permissions that apply to an IAM user, group, or role. The permissions determine what users can do in AWS. A policy typically allows access to specific actions, and can optionally grant that the actions are allowed for specific resources, like Amazon Simple Notification Service (Amazon SNS) notifications. Policies can also explicitly deny access.
Identity-based policies are attached to an IAM
user, group, or role (identity). These policies let you specify what that AWS identity
can do (its permissions). For example, you can attach an identity policy to the IAM
user named adesai, to allow that user to perform the Amazon Q Developer
DescribeSlackChannels action.
For information about, and examples of, using identity-based policies with Amazon Q Developer, see Amazon Q Developer Identity-Based Policies.
For more general information about how IAM identity-based policies work, see Identity vs. Resource in the IAM User Guide.
Resource-level permissions and Amazon Q Developer
Resource-level permissions are JSON policy statements that specify the AWS resources on which associated IAM entities can perform actions. You define a resource-level permission in an IAM policy, then attach the policy to a user's AWS account or to any other IAM entity. The users then have permission to access that resource. Resource-level permissions differ from IAM resource-based policies because you attach complete resource-based policies directly to an AWS resource.
When you customize IAM policies for users to work with the Amazon Q Developer service, one of your primary options for policy editing is to configure resource-based permissions for your policies.
Amazon Q Developer supports resource-level permissions, but not resource-based policies.
For more information about how IAM resource-level permissions work with Amazon Q Developer, see IAM Resource-Level Permissions for Amazon Q Developer.
Condition keys and Amazon Q Developer
Administrators can use AWS JSON policies to specify who has access to what. That is, which principal can perform actions on what resources, and under what conditions.
The Condition element (or Condition
block) lets you specify conditions in which a
statement is in effect. The Condition element is optional. You can create
conditional expressions that use condition
operators, such as equals or less than, to match the condition in the
policy with values in the request.
If you specify multiple Condition elements in a statement, or
multiple keys in a single Condition element, AWS evaluates them using
a logical AND operation. If you specify multiple values for a single
condition key, AWS evaluates the condition using a logical OR
operation. All of the conditions must be met before the statement's permissions are
granted.
You can also use placeholder variables when you specify conditions. For example, you can grant an IAM user permission to access a resource only if it is tagged with their IAM user name. For more information, see IAM policy elements: variables and tags in the IAM User Guide.
AWS supports global condition keys and service-specific condition keys. To see all AWS global condition keys, see AWS global condition context keys in the IAM User Guide.
Amazon Q Developer doesn't define any service-specific condition keys. It supports global condition keys. To see all actions and resources for which Amazon Q Developer can use global condition keys, see Actions, Resources, and Condition Keys for Amazon Q Developer in the IAM User Guide. For more information about AWS global condition keys, see AWS Global Condition Context Keys in the IAM User Guide.
Using temporary credentials with Amazon Q Developer
You can use temporary credentials to sign in with federation, assume an IAM role, or assume a cross-account role. You obtain temporary security credentials by calling AWS Security Token Service (AWS STS) API operations, such as AssumeRole or GetFederationToken.
Amazon Q Developer supports using temporary credentials. For more information about defining and using temporary IAM credentials, see Temporary Security Credentials in the IAM User Guide.
Service-linked roles
Service-linked roles allow AWS services to access resources in other services to complete an action on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An IAM administrator can view, but can't edit the permissions for service-linked roles.
Service roles
Amazon Q Developer supports service roles.
This feature allows a service to assume a service role on your behalf. This role allows the service to access resources in other services to complete an action on your behalf. Service roles appear in your IAM account and are owned by the account. This means that an IAM administrator can change the permissions for this role. However, doing so might prevent the service from functioning as expected.
Other policy types
AWS supports additional, less common policy types. These policy types can set the maximum permissions granted to you by the more common policy types.
-
AWS Organizations service control policies (SCPs) - SCPs are JSON policies that specify the maximum permissions for an organization or organizational unit (OU) in AWS Organizations. AWS Organizations is a service for grouping and centrally managing multiple AWS accounts that your business owns. If you enable all features in an organization, then you can apply service control policies (SCPs) to any or all of your accounts. The SCP limits permissions for entities in member accounts, including each AWS account root user. For more information about Organizations and SCPs, see How SCPs Work in the AWS Organizations User Guide.
-
IAM account settings - With IAM, you can use AWS Security Token Service (AWS STS) to create and provide trusted users with temporary security credentials that can control access to your AWS resources. When you activate STS endpoints for a Region, AWS STS can issue temporary credentials to users and roles in your account that make an AWS STS request. Those credentials can then be used in any Region that is enabled by default or is manually enabled. You must activate the Region in the account where the temporary credentials are generated. It does not matter whether a user is signed into the same account or a different account when they make the request. For more information, see Activating and deactivating AWS STS in an AWS Region in the IAM User Guide.
Note
Amazon Q Developer is a global service that requires access to all AWS Regions. If there is a policy in place that prevents access to services in certain Regions, you must change the policy to allow global Amazon Q Developer access.
