When you use an Amazon Kendra index as a retriever, you must provide Amazon Q Business with an IAM role with permissions to access Amazon Kendra. You must also provide a trust policy that allows Amazon Q to assume the role. The following are the policies that must be provided.
To allow Amazon Q to access your Amazon Kendra index, use the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "KendraRetrieveAccess",
"Effect": "Allow",
"Action": [
"kendra:Retrieve",
"kendra:DescribeIndex"
],
"Resource": "arn:aws:kendra:{{region}}:{{source_account}}:index/{{indexId}}"
}
]
}To allow Amazon Q to assume a role, use the following trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AmazonQKendraAccessPermission",
"Effect": "Allow",
"Principal": {
"Service": "qbusiness.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{source_account}}"
},
"ArnEquals": {
"aws:SourceArn":"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{applicationId}}"
}
}
}
]
}