Prerequisites
The following steps are prequisites for the getting started exercises. The steps show you how to set up your account, create an IAM role that gives Amazon Kendra permission to make calls on your behalf, and index documents from an Amazon S3 bucket. An S3 bucket is used as an example, but you can use other data sources that Amazon Kendra supports. See Data sources.
Sign up for an AWS account
If you do not have an AWS account, complete the following steps to create one.
To sign up for an AWS account
Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call and entering a verification code on the phone keypad.
When you sign up for an AWS account, an AWS account root user is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform tasks that require root user access.
AWS sends you a confirmation email after the sign-up process is
complete. At any time, you can view your current account activity and manage your account by
going to https://aws.amazon.com/
Create a user with administrative access
After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.
Secure your AWS account root user
-
Sign in to the AWS Management Console
as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password. For help signing in by using root user, see Signing in as the root user in the AWS Sign-In User Guide.
-
Turn on multi-factor authentication (MFA) for your root user.
For instructions, see Enable a virtual MFA device for your AWS account root user (console) in the IAM User Guide.
Create a user with administrative access
-
Enable IAM Identity Center.
For instructions, see Enabling AWS IAM Identity Center in the AWS IAM Identity Center User Guide.
-
In IAM Identity Center, grant administrative access to a user.
For a tutorial about using the IAM Identity Center directory as your identity source, see Configure user access with the default IAM Identity Center directory in the AWS IAM Identity Center User Guide.
Sign in as the user with administrative access
-
To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.
For help signing in using an IAM Identity Center user, see Signing in to the AWS access portal in the AWS Sign-In User Guide.
Assign access to additional users
-
In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.
For instructions, see Create a permission set in the AWS IAM Identity Center User Guide.
-
Assign users to a group, and then assign single sign-on access to the group.
For instructions, see Add groups in the AWS IAM Identity Center User Guide.
-
If you are using an S3 bucket containing documents to test Amazon Kendra, create an S3 bucket in the same region that you are using Amazon Kendra. For instructions, see Creating and Configuring an S3 Bucket in the Amazon Simple Storage Service User Guide.
Upload your documents to your S3 bucket. For instructions, see Uploading, Downloading, and Managing Objects in the Amazon Simple Storage Service User Guide.
If you are using another data source, you must have an active site and credentials to connect to the data source.
If you are using the console to get started, start with Getting started with the Amazon Kendra console.
Amazon Kendra resources: AWS CLI, SDK, console
There are certain permissions required if you use CLI, SDK, or the console.
To use Amazon Kendra for the CLI, SDK, or console you must have permissions to allow Amazon Kendra to create and manage resources on your behalf. Depending on your use case, these permissions include access to the Amazon Kendra API itself, AWS KMS keys if you want to encrypt your data through a custom CMK, Identity Center directory if you want to integrate with AWS IAM Identity Center or create a Search Experience. For a full list of permissions for different use cases, see IAM roles.
First, you must attach the below permissions to your IAM user.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1644430853544", "Action": [ "kms:CreateGrant", "kms:DescribeKey" ], "Effect": "Allow", "Resource": "*" }, { "Sid": "Stmt1644430878150", "Action": "kendra:*", "Effect": "Allow", "Resource": "*" }, { "Sid": "Stmt1644430973706", "Action": [ "sso:AssociateProfile", "sso:CreateManagedApplicationInstance", "sso:DeleteManagedApplicationInstance", "sso:DisassociateProfile", "sso:GetManagedApplicationInstance", "sso:GetProfile", "sso:ListDirectoryAssociations", "sso:ListProfileAssociations", "sso:ListProfiles" ], "Effect": "Allow", "Resource": "*" }, { "Sid": "Stmt1644430999558", "Action": [ "sso-directory:DescribeGroup", "sso-directory:DescribeGroups", "sso-directory:DescribeUser", "sso-directory:DescribeUsers" ], "Effect": "Allow", "Resource": "*" }, { "Sid": "Stmt1644431025960", "Action": [ "identitystore:DescribeGroup", "identitystore:DescribeUser", "identitystore:ListGroups", "identitystore:ListUsers" ], "Effect": "Allow", "Resource": "*" } ] }
Second, if you use the CLI or SDK, you must also create an IAM role and policy to access Amazon CloudWatch Logs. If you are using the console, you don't need to create an IAM role and policy for this. You create this as part of the console procedure.
To create an IAM role and policy for the AWS CLI and SDK that allows Amazon Kendra to access your Amazon CloudWatch Logs.
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
From the left menu, choose Policies and then choose Create policy.
-
Choose JSON and then replace the default policy with the following:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "AWS/Kendra" } } }, { "Effect": "Allow", "Action": [ "logs:DescribeLogGroups" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:
region
:account ID
:log-group:/aws/kendra/*" ] }, { "Effect": "Allow", "Action": [ "logs:DescribeLogStreams", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:region
:account ID
:log-group:/aws/kendra/*:log-stream:*" ] } ] } -
Choose Review policy.
-
Name the policy "KendraPolicyForGettingStartedIndex" and then choose Create policy.
-
From the left menu, choose Roles and then choose Create role.
-
Choose Another AWS account and then type your account ID in Account ID. Choose Next: Permissions.
-
Choose the policy that you created above and then choose Next: Tags
-
Don't add any tags. Choose Next: Review.
-
Name the role "KendraRoleForGettingStartedIndex" and then choose Create role.
-
Find the role that you just created. Choose the role name to open the summary. Choose Trust relationships and then choose Edit trust relationship.
-
Replace the existing trust relationship with the following:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "kendra.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
-
Choose Update trust policy.
Third, if you use an Amazon S3 to store your documents or you are using S3 to test Amazon Kendra, you also must create an IAM role and policy to access your bucket. If you are using another data source, see IAM roles for data sources.
To create an IAM role and policy that allows Amazon Kendra to access and index your Amazon S3 bucket.
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
From the left menu, choose Policies and then choose Create policy.
-
Choose JSON and then replace the default policy with the following:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::
bucket name
/*" ], "Effect": "Allow" }, { "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::bucket name
" ], "Effect": "Allow" }, { "Effect": "Allow", "Action": [ "kendra:BatchPutDocument", "kendra:BatchDeleteDocument" ], "Resource": "arn:aws:kendra:region
:account ID
:index/*" } ] } -
Choose Review policy.
-
Name the policy "KendraPolicyForGettingStartedDataSource" and then choose Create policy.
-
From the left menu, choose Roles and then choose Create role.
-
Choose Another AWS account and then type your account ID in Account ID. Choose Next: Permissions.
-
Choose the policy that you created above and then choose Next: Tags
-
Don't add any tags. Choose Next: Review.
-
Name the role "KendraRoleForGettingStartedDataSource" and then choose Create role.
-
Find the role that you just created. Choose the role name to open the summary. Choose Trust relationships and then choose Edit trust relationship.
-
Replace the existing trust relationship with the following:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "kendra.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
-
Choose Update trust policy.
Depending on how you want to use the Amazon Kendra API, do one of the following.