Prerequisites for existing AWS Supply Chain users

Enabling Amazon Q in AWS Supply Chain

Note

Only an AWS Supply Chain administrator can enable Amazon Q in AWS Supply Chain.

To enable Amazon Q in AWS Supply Chain, perform the following procedure:

In the left navigation pane on the AWS Supply Chain dashboard, choose the Settings icon.
Under Organization, choose Organization Profile.

The Organization Profile page appears.
Under Enable access for Amazon Q..., slide the Amazon Q in AWS Supply Chain button to enable Amazon Q in AWS Supply Chain and ask questions regarding your supply chain.
Choose Save.

The Confirm Amazon Q in AWS Supply Chain access window appears.
Choose Acknowledge.

The Amazon Q dialog window should automatically appear on the right side of the page. You can hide or unhide the page by choosing the Amazon Q icon.

Prerequisites for existing AWS Supply Chain users

Note

If your AWS Supply Chain instance was created before the Amazon Q in AWS Supply Chain release, you will need to follow the procedure below to update the instance permissions.

To update the instance role in the IAM console, perform the following steps:

Make sure all the permissions listed under KMS policy are added to the KMS key policy used in the AWS Supply Chain instance.
In the IAM console, find the instance role with the AWS Supply Chain InstanceId. You can find the AWS Supply Chain InstanceId in the AWS Supply Chain console.

Attach the following policy as an inline policy to the role.



{
    "Version": "2012-10-17",
    "Statement":  [
        {
            "Sid": "AccessKmsToEnableAscQ",
            "Effect": "Allow",
            "Action": "kms:CreateGrant",
            "Resource": "{{kmsKeyArn}}",
            "Condition":  {
                "ForAllValues:StringEquals":  {
                    "kms:GrantOperations":  [
                        "Encrypt",
                        "Decrypt",
                        "GenerateDataKey",
                        "GenerateDataKeyWithoutPlaintext",
                        "DescribeKey"
                    ]
                },
                "StringLike":  {
                    "kms:ViaService": "scn.*.amazonaws.com"
                },
                "Bool":  {
                    "kms:GrantIsForAWSResource": true
                }
            }
        },
        {
            "Sid": "AccessKmsToInteractWithAscQ",
            "Effect": "Allow",
            "Action":  [
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:GenerateDataKey"
            ],
            "Resource": "{{kmsKeyArn}}",
            "Condition":  {
                "StringLike":  {
                    "kms:ViaService": "scn.*.amazonaws.com"
                }
            }
        }
    ]
}

Replace the kmsKeyArn with the actual AWS KMS Key Arn used in the AWS Supply Chain instance.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Amazon Q in AWS Supply Chain

Creating and assigning custom user roles to access Amazon Q in AWS Supply Chain