IAM role for an Amazon Q Business web experience
If the admin user uses the AWS Management Console to create and manage their Amazon Q Business application environment and web experiences then the following IAM role is created automatically for you when you choose a new or existing service role that is already working for your application environments to authorize the Web experience service access.
Note
If you are using permissions for Amazon Q Apps created prior to July 10, 2024, you must update your role with the new Amazon Q Apps permissions for your users to have access to use the permissions to view and specify approved data sources and other future features in Q Apps.
If you are not using the console and want to allow Amazon Q to invoke the API operations required to integrate your application environment with IAM Identity Center, deploy your chat web experience, use an external IdP, and use Amazon Q Apps you must use the following IAM policies.
The following IAM policy allows you to invoke the API operations required to integrate your application environment with IAM Identity Center or deploy your chat web experience using an external IdP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QBusinessConversationPermission", "Effect": "Allow", "Action": [ "qbusiness:Chat", "qbusiness:ChatSync", "qbusiness:ListMessages", "qbusiness:ListConversations", "qbusiness:DeleteConversation", "qbusiness:PutFeedback", "qbusiness:GetWebExperience", "qbusiness:GetApplication", "qbusiness:ListPlugins", "qbusiness:GetChatControlsConfiguration" ], "Resource": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}" }, { "Sid": "QBusinessKMSDecryptPermissions", "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]" ], "Condition": { "StringLike": { "kms:ViaService": [ "qbusiness.{{region}}.amazonaws.com" ] } } }, { "Sid": "QBusinessSetContextPermissions", "Effect": "Allow", "Action": [ "sts:SetContext" ], "Resource": [ "arn:aws:sts::*:self" ], "Condition": { "StringLike": { "aws:CalledViaLast": [ "qbusiness.amazonaws.com" ] } } } ] }
To allow Amazon Q to assume this role, use the following trust policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QBusinessTrustPolicy", "Effect": "Allow", "Principal": { "Service": "application.qbusiness.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:SetContext" ], "Condition": { "StringEquals": { "aws:SourceAccount": "{{source_account}}" }, "ArnEquals": { "aws:SourceArn":"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}" } } } ] }
IAM permissions for using Amazon Q Apps
If the users of your deployed web experience want to create lightweight, purpose-built Amazon Q Apps within your broader Amazon Q Business application environment, you must include the following policy permissions .
Note
This Amazon Q Apps IAM policy released on July 10, 2024 supports the ability for users to view and specify approved data sources at the card-level and use other future features. To use these features, you must update all roles for Amazon Q Apps that have been created prior to this date with this new policy.
Topics
If you want to use Amazon Q Apps, your web experience IAM role needs the following additional permissions:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QAppsResourceAgnosticPermissions", "Effect": "Allow", "Action": [ "qapps:CreateQApp", "qapps:PredictQApp", "qapps:PredictProblemStatementFromConversation", "qapps:PredictQAppFromProblemStatement", "qapps:ListQApps", "qapps:ListLibraryItems", "qapps:CreateSubscriptionToken" ], "Resource": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}" }, { "Sid": "QAppsAppUniversalPermissions", "Effect": "Allow", "Action": [ "qapps:DisassociateQAppFromUser" ], "Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*" }, { "Sid": "QAppsAppOwnerPermissions", "Effect": "Allow", "Action": [ "qapps:GetQApp", "qapps:CopyQApp", "qapps:UpdateQApp", "qapps:DeleteQApp", "qapps:ImportDocument", "qapps:ImportDocumentToQApp", "qapps:CreateLibraryItem", "qapps:UpdateLibraryItem", "qapps:StartQAppSession" ], "Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*", "Condition": { "StringEqualsIgnoreCase": { "qapps:UserIsAppOwner": "true" } } }, { "Sid": "QAppsPublishedAppPermissions", "Effect": "Allow", "Action": [ "qapps:GetQApp", "qapps:CopyQApp", "qapps:AssociateQAppWithUser", "qapps:GetLibraryItem", "qapps:CreateLibraryItemReview", "qapps:AssociateLibraryItemReview", "qapps:DisassociateLibraryItemReview", "qapps:StartQAppSession" ], "Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*", "Condition": { "StringEqualsIgnoreCase": { "qapps:AppIsPublished": "true" } } }, { "Sid": "QAppsAppSessionModeratorPermissions", "Effect": "Allow", "Action": [ "qapps:ImportDocument", "qapps:ImportDocumentToQAppSession", "qapps:GetQAppSession", "qapps:GetQAppSessionMetadata", "qapps:UpdateQAppSession", "qapps:UpdateQAppSessionMetadata", "qapps:StopQAppSession" ], "Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*/session/*", "Condition": { "StringEqualsIgnoreCase": { "qapps:UserIsSessionModerator": "true" } } }, { "Sid": "QAppsSharedAppSessionPermissions", "Effect": "Allow", "Action": [ "qapps:ImportDocument", "qapps:ImportDocumentToQAppSession", "qapps:GetQAppSession", "qapps:GetQAppSessionMetadata", "qapps:UpdateQAppSession" ], "Resource": "arn:aws:qapps:{{region}}:{{source_account}}:application/{{application_id}}/qapp/*/session/*", "Condition": { "StringEqualsIgnoreCase": { "qapps:SessionIsShared": "true" } } } ] }
Capabilities available with Amazon Q Apps
The Amazon Q Apps IAM policy allows your web experience users permissions to do the following:
Amazon Q Apps capabilities:
-
Create a Q App (API)
-
Get the status and other information on a Q App (API)
-
Update a Q App (API)
-
List all created Q Apps (API)
-
Delete a Q App (API)
-
Start a Q App run (session) (API)
-
Stop a Q App run (session) (API)
-
Upload files to a Q App run (session) (API)
-
Converts a conversation into a (text string) problem statement (API)
-
Convert a problem statement into a proposed Q App (API)
-
Amazon Q Apps library capabilities:
-
Publish a Q App by adding items to your Q Apps library (API)
-
Get the status and other information on a Q App (item) in your Q Apps library (API)
-
Update a published Q App (item) in your Q Apps library (API)
-
List all Q Apps (items) from your Q Apps library (API)
-
Delete a Q App (item) from your Q Apps library (API)
-
Like (rate) a Q App item from your Q Apps library (API)
-
IAM permissions for users to view and specify approved data sources in Amazon Q Apps
(Optional) You must add the following permissions to the Amazon Q Apps policy to allow Q Apps users to view and specify approved data sources in their app.
Note
If you are using permissions for Amazon Q Apps created prior to July 10, 2024, you must update your role with the new Amazon Q Apps permissions for your users to have access to use the permissions to view and specify approved data sources and other future features in Q Apps.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QBusinessIndexPermission", "Effect": "Allow", "Action": [ "qbusiness:ListIndices" ], "Resource": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}" }, { "Sid": "QBusinessDataSourcePermission", "Effect": "Allow", "Action": [ "qbusiness:ListDataSources" ], "Resource": [ "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}", "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/index/*" ] }, ] }
Note
If any of these permissions are removed, then you run the risk of your web experience users not being able to create and run their own Q Apps properly.
