Configuring a PagerDuty Advance plugin for Amazon Q Business
PagerDuty Operations Cloud is a software-as-a-service (SaaS) incident response management
platform that provides IT teams with knowledge about incidents as soon as they occur. If
you’re a PagerDuty Advance customer who has PagerDuty Advance AI Assistant
-
Get incidents
-
Similar incidents
-
Root cause incident
-
Find recent changes
-
Who is on-call
-
Status update on incident
-
Customer impact
-
Update incident
To create a PagerDuty Advance plugin, you need configuration information from your PagerDuty Advance instance to set up a connection between Amazon Q and PagerDuty Advance and allow Amazon Q to perform actions in PagerDuty Advance.
For more information on how to use plugins during your web experience chat, see Using plugins.
Prerequisites
Before you configure your Amazon Q PagerDuty Advance plugin, you must do the following:
-
As an admin, create a new OAuth 2.0 PagerDuty Advance app in the PagerDuty Advance developer console with scoped permissions for performing actions in Amazon Q. To learn how to do this, see Register an App
in PagerDuty Advance Developer Documentation. -
Make sure you've added following required scopes:
write
. -
Note the domain URL of your PagerDuty Advance instance. For example:
https://api.pagerduty.com
. -
Note your:
-
Access token URL – For PagerDuty Advance OAuth applications, this is
https://identity.pagerduty.com/oauth/token
. -
Authorization URL – For PagerDuty Advance OAuth applications, this is
https://identity.pagerduty.com/oauth/authorize
. -
Redirect URL – The URL to which user needs to be redirected after authentication. If your deployed web url is
<q-endpoint>
, use<q-endpoint>/oauth/callback
. Amazon Q Business will handle OAuth tokens in this URL. This callback URL needs to be allowlisted in your third-party application. -
Client ID – The client ID generated when you create your OAuth 2.0 application in PagerDuty Advance.
-
Client secret – The client secret generated when you create your OAuth 2.0 application in PagerDuty Advance.
You will need this authentication information during the plugin configuration process.
-
Service access roles
To successfully connect Amazon Q to PagerDuty Advance, you need to give Amazon Q the following permission to access your Secrets Manager secret to get your PagerDuty Advance credentials. Amazon Q assumes this role to access your PagerDuty Advance credentials.
The following is the service access IAM role required:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": [ "arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]" ] } ] }
To allow Amazon Q to assume a role, use the following trust policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QBusinessApplicationTrustPolicy", "Effect": "Allow", "Principal": { "Service": "qbusiness.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "{{source_account}}" }, "ArnLike": { "aws:SourceArn":"arn:aws:qbusiness:{{your-region}}:{{source_account}}:application/{{application_id}}" } } } ] }
If you use the console and choose to create a new IAM role, Amazon Q creates the role for you. If you use the console and choose to use an existing secret, or you use the API, make sure your IAM role contains these permissions.
Creating a plugin
To create a PagerDuty Advance plugin for your web experience chat, you can use the AWS Management Console or the CreatePlugin API operation. The following tabs provide a procedure for creating a PagerDuty Advance plugin using the console and code examples for the AWS CLI.