Adding user access and subscriptions to an Amazon Q Business application - Amazon Q Business

Adding user access and subscriptions to an Amazon Q Business application

You can add users to your IAM Identity Center instance from the Amazon Q Business console.

After you add users or groups to an application, you can then choose the Amazon Q Business tier for each user or group.

On successful completion, Amazon Q Business returns a web experience URL that you can share with the end users you added to your application.

The following tabs provide a procedure for the AWS Management Console and code examples for the AWS CLI.

Console

To add users and groups with their subscriptions to your Amazon Q Business application

  1. To add users or groups, select the Users or Groups tab, then select Add groups and users. Then, depending on how you're integrating Amazon Q Business with IAM Identity Center, do the following:

    1. If you're using a pre-configured IAM Identity Center instance with users and groups already configured, Amazon Q Business detects the users you have configured in IAM Identity Center. You can choose to assign users from your IAM Identity Center directory.

      1. In this case, in the Assign existing users and groups dialog box that opens, type and select the name of the user or group that you want to assign. Then select Assign.

        Note

        Search for users using their name, and not their user ID or email alias.

    2. If you've created a minimally-configured IAM Identity Center instance from within the Amazon Q Business console for your Amazon Q Business application, you can enter the details of your users or users within a group to add them to your application and IAM Identity Center instance.

      1. In this case, in the Add new users dialog box that opens, enter the details of your user. Then select Next and Add.

        If you want to add another user or multiple users, select Add new user and enter the user details before you select Add. Then, select Assign.

        The user is automatically added to an IAM Identity Center directory.

      2. The details you must enter for a single user include:

        • Username – A username is required for an user to sign into the AWS access portal. You can't change the username later. Maximum length 128 characters. Can only contain alphanumeric characters or any of the following: +=,.@-_

        • First name – First name of user.

        • Last name – Last name of user.

        • Email address – Email address of user.

        • Confirm email address – Enter email address again to confirm it.

        • Display name – The display name assigned to your user.

  2. After adding a user or group, you choose the Amazon Q Business subscription tier for each user or group. From the subscriptions dropdown menu, do the following:

    1. On the Manage access and subscriptions page, choose Users, and then select the user you want to add a subscription to.

    2. Then, from the Change subscription dropdown select Update subscription tier.

    3. In the Confirm subscription change dialog box that opens, from the New subscription dropdown select Q Business Lite or Q Business Pro.

    4. Then, select Confirm. You will see an active subscription notification appear next to the user you've added the subscription to.

    5. Then, select Done to confirm your changes.

    6. To add subscriptions for groups, follow the same steps. Note that groups must already be created in IAM Identity Center before you can add and assign subscriptions to them in the Amazon Q Business console.

    Important

    If you add a user to a group in IAM Identity Center and have given that group access to your application, it can take up to 24 hours for the change to take effect and for the user to be able to access your Amazon Q Business application.

    Warning

    You must confirm and save your user subscription settings, otherwise you are charged based on your unsaved user subscriptions.

  3. In Web experience service access, enter the following information:

    • For Choose a method to authorize Amazon Q Business – A service access role assumed by end users when they sign in to your web experience that grants them permission to start and manage conversations Amazon Q Business. You can choose to use an existing role or create a new role.

    • Service role name – A name for the service role you created for easy identification on the console.

    • Select Save.

  4. Select Create application.

AWS CLI

To add users to an application (subscriptions for users is only available in the console)


aws sso-admin create-application-assignment \
--application-arn idc-app-arn \
--principal-id idc-user-ID \
--principal-type USER

To add groups to an application (subscriptions for groups is only available in the console)


aws sso-admin create-application-assignment \
--application-arn idc-app-arn \
--principal-id idc-group-ID \
--principal-type GROUP