Use third-party applications in your Amazon Connect agent workspace
Requirements
If you're using custom IAM policies to manage access to third-party
applications, your users need the following IAM permissions to integrate a
third-party application using the AWS Console. In addition to
AmazonConnect_FullAccess
, users need:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "app-integrations:CreateApplication", "app-integrations:GetApplication", "iam:GetRolePolicy", "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:app-integrations:
<aws-region>
:<aws-account-Id>
:application/*", "Effect": "Allow" } ] }
How to integrate a third-party application
Note
To integrate third-party applications into your instances, ensure that your instance is using a Service-Linked Role (SLR). If your instance currently does not use an SLR but you wish to integrate third-party applications, you will need to migrate to an SLR. Third-party applications can only be integrated and used in instances that are using an SLR. For more information, see For instances created before October 2018.
-
Open the Amazon Connect console
(https://console.aws.amazon.com/connect/). -
On the left navigation pane, choose Third-party applications. If you do not see this menu, it’s because it is not available in your region. To check the regions where this feature is available, see Availability of Amazon Connect features by Region.
-
On the Third-party applications page, choose Add application.
-
On the Add application page, enter:
-
Basic information
-
Display name: A friendly name for the application. This name will display on security profiles and to your agents on the tab within the agent workspace. You may come back and change this name.
-
Namespace: The official name that is unique for your application. If you have only one application per access URL, we recommend that you use the origin of the access URL. You may not change this name.
-
Description (optional): You may optionally provide any description for this application. This description will not display to agents.
-
-
Access
-
Access URL: This is the URL where your application is hosted. The URL must be secure, starting with https, unless it’s a local host.
Note
Not all URLs can be iframed. Here are two ways to check if the URL can be iframed:
-
There is a third-party tool available to help check if a URL can be iframed that is called Iframe Tester
. -
If a URL can be iframed, it will render in a preview on this page.
-
If a URL cannot be iframed, it will display an error in the preview on this page.
-
It is possible that this website displays an error, and the app can still be iframed in the agent workspace. This is because the app developer can lock down their app to only be embeddable into the workspace and nowhere else. If you received this app from an app developer, we recommend that you still try integrating this app into the agent workspace.
-
-
-
For technical users: Check the security policy content of the application you are trying to integrate.
-
Firefox: Hamburger menu > More tools > Web developer tools > Network
-
Chrome: 3 dots menu > More tools > Developer tools > Network
-
Other browsers: Locate the network settings in the developer tools.
-
The Content-Security-Policy frame-ancestors directive should be
https://
.your-instance
.my.connect.aws-
If the directive is
same origin
ordeny
, then this URL cannot be iframed by AWS/Amazon Connect
-
-
Here’s what you can do if the app cannot be iframed:
-
If you control the app/URL, you can update the app’s content security policy. Follow the best practices for app developers/ Ensuring that apps can only be embedded in the Connect agent workspace section here.
-
If you do not control the app/URL, you can try reaching out to the app developer and asking them to update the app’s content security policy.
-
-
Approved origins (optional): Allowlist URLs that should be permitted, if different than the access URL. The URL must be secure, starting with https, unless it’s a local host.
-
-
Add permissions to events and requests.
The following is an example of how you can onboard a new application and assign permissions to it by using the AWS Console. In this example, six different permissions are assigned to the application.
Providing basic information and access details
-
Instance association
-
You may give any instance(s) within this account-region access to this application.
-
While associating the application to an instance is optional, you will not be able to use this application until you associate it with instance(s).
-
Granting permissions to the application for workspace data integration
-
-
Choose Save.
-
If the application was successfully created, you will be returned to the Third-party applications page, you will see a success banner, and you should see the application on the list.
You can edit certain attributes of an existing app, such as its Display Name, Access URL, and Permissions.
-
If there was an error in either creating the application or associating the application to an instance, then you will see an error message, and you can take the corresponding action to correct the issue.
-
Delete third-party applications
If you no longer want to use a third-party application in the foreseeable future, you can delete it. If you temporarily want to stop using it, but you may want to use it again in the foreseeable future, we recommend that you disassociate it from an instance to avoid having to add it again. To delete third-party applications, navigate to the AWS console, select an application, and choose Delete.
Troubleshooting
-
The operation will fail if the application is associated with any instance. You will first have to disassociate the application from any instance. Then you can come back and delete.
Tip
If you created an application before Dec 15, 2023, then you may encounter issues when updating the association of the application to instance(s). This is because you need to make updates to your IAM policy.
Your IAM policy will need to be updated to include the following permissions:
-
app-integrations:CreateApplicationAssociation
-
app-integrations:DeleteApplicationAssociation
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "app-integrations:CreateApplication", "app-integrations:GetApplication" ], "Resource": "arn:aws:app-integrations:
<aws-region>
:<aws-account-Id>
:application/*", "Effect": "Allow" }, { "Action": [ "app-integrations:CreateApplicationAssociation", "app-integrations:DeleteApplicationAssociation" ], "Resource": "arn:aws:app-integrations:<aws-region>
:<aws-account-Id>
:application-association/*", "Effect": "Allow" }, { "Action": [ "iam:GetRolePolicy", "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::<aws-account-Id>
:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect_*", "Effect": "Allow" } ] }