Information to be provided to the Amazon Q Business team - Amazon Q Business

Information to be provided to the Amazon Q Business team

Before an independent software provider or vendor (ISV) can become a verified data accessor, they must provide either an Auth code or Trusted token issuer (TTI) configuration information to the Amazon Q Business team.

Prerequisite for both Auth code and TTI configurations.

tenantID

The tenantID is a unique identifier for your application tenant. Each application might have different terms for a tenant such as Workspace ID for Slack or Domain ID for Asana. You can review the Prerequisites page to see how to retrieve the TenantId for your application.

Auth code

Prerequisites:

  • The display name to list on the AWS Management Console

  • The business logo that Amazon Q Business customers will select

  • The redirect URL for the oAuth authorization code flow.

    Note

    oAuth authorization code flow is an industry standard for third-party applications to obtain user access permissions. In the authorization code flow, ISV receives an auth code from AWS and exchanges the auth code for an ID token.

  • The ISVs must create the following AWS Identity and Access Management (IAM) role with the necessary permissions and trust policy to interact with the Amazon Q Business services and APIs. This IAM role is granted access as a data accessor when Amazon Q Business customers provide access to their Amazon Q index. For more information, see IAM role terms and concepts and Create a role to delegate permissions to an IAM user.

    • ISV IAM role

      JSON
      JSON
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "qbusiness:SearchRelevantContent",
                "sso-oauth:CreateTokenWithIAM",
                "kms:Decrypt",
                "sts:SetContext"
            ],
            "Resource": "*"
        }
    ]
}

    • ISV IAM role trust policy

      JSON
      JSON
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ISVRoleTrustPolicy",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "${your_application_iam_role}"
                ]
            },
            "Action": [
                "sts:AssumeRole",
                "sts:SetContext",
                "sts:TagSession"
            ]
        }
    ]
}

    • ISV tenantId

      • What is tenantId?

        The tenantID is a unique identifier for your application tenant. Each application might have different terms for a tenant such as Workspace ID for Slack or Domain ID for Asana.

      • Where do you find the tenantId?

        Provide info as to where can the IT Admin of an enterprise can find this information on the ISV.

TTI

Prerequisites:

  • The display name to list on the AWS Management Console

  • The business logo that Amazon Q Business customers will select

  • OIDC ClientId which can used to generate tokens for all the customers - The OAuth 2.0 authorization server (the trusted token issuer) that creates the token must have an OpenID Connect (OIDC) discovery endpoint that IAM Identity Center can use to obtain public keys to verify the token signatures. For more information, see OIDC discovery endpoint URL (issuer URL).

  • Discovery endpoint/Issuer URL - The entity that issued the token. This value must match the value that is configured in the OIDC discovery endpoint (issuer URL) in the trusted token issuer.

Note

Trusted token issuer(App level authentication) - A trusted token issuer is an OAuth 2.0 authorization server that creates signed tokens. These tokens authorize applications that initiate requests (requesting applications) for access to AWS managed applications (receiving applications).

The ISVs must create the following AWS Identity and Access Management (IAM) role with the necessary permissions and trust policy to interact with the Amazon Q Business services and APIs. This IAM role is granted access as a data accessor when Amazon Q Business customers provide access to their Amazon Q index. For more information, see IAM role terms and concepts and Create a role to delegate permissions to an IAM user.

  • ISV IAM role

    JSON
    JSON
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "qbusiness:SearchRelevantContent",
                "sso-oauth:CreateTokenWithIAM",
                "kms:Decrypt",
                "sts:SetContext"
            ],
            "Resource": "*"
        }
    ]
}

  • ISV IAM role trust policy

    JSON
    JSON
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ISVRoleTrustPolicy",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "${your_application_iam_role}"
                ]
            },
            "Action": [
                "sts:AssumeRole",
                "sts:SetContext",
                "sts:TagSession"
            ]
        }
    ]
}