AWS Chatbot is now Amazon Q Developer. [Learn more](service-rename.md)

# Running AWS CLI commands from chat channels using Amazon Q Developer in chat applications
Running AWS CLI commands

You can run commands using AWS CLI syntax directly in chat channels. Amazon Q Developer enables you to retrieve diagnostic information, configure AWS resources, and run workflows. 

When you interact with Amazon Q Developer in your chat channels, it prompts you for any missing parameters before it runs the command. 

**Note**  
To perform actions in your chat channels, you must first have the appropriate permissions. For more information about Amazon Q Developer in chat applications permissions, see [Understanding Amazon Q Developer in chat applications permissions](understanding-permissions.md).  
Amazon Q Developer doesn't support running commands for certain operations. For more information, see [Non-supported operations](understanding-permissions.md#forbidden-permissions).

**Topics**
+ [

# AWS CLI command syntax in Amazon Q Developer in chat applications
](intro-to-the-aws-cli-in-slack.md)
+ [

# Running commands using Amazon Q Developer in chat applications
](Things-to-know-about-cli.md)
+ [

# Configuring commands support on an existing chat channel using Amazon Q Developer in chat applications
](setting-up-aws-cli-on-slack.md)
+ [

# Enabling multiple accounts to use commands using Amazon Q Developer in chat applications
](multiple-accounts-in-a-channel.md)

# AWS CLI command syntax in Amazon Q Developer in chat applications
Command syntax

After you set up the Amazon Q Developer in chat applications, you run commands with the following prefix:

`@Amazon Q`

**Note**  
If you are using Slack and AWS is not listed as a valid member of the channel, you need to add the Amazon Q Developer in chat applications app to the Slack workspace and invite it to the channel. For more information, see the [Getting started guide for Amazon Q Developer in chat applications](getting-started.md).

**Tip**  
Instead of entering `@Amazon Q`, you can enter `@Q` and choose the autocomplete recommendation that matches the app name.

The Amazon Q Developer in chat applications command syntax is the same as you would use in a terminal:

`@Amazon Q service command --options`

**Note**  
You can specify parameters with either a double hyphen (*--option*) or a single hyphen (*-option*). This allows you to use a mobile device to run commands without running into issues with the mobile device automatically converting a double hyphen to a long dash.

**Note**  
AWS CLI commands run from AWS Chatbot have an execution [timeout](https://docs.aws.amazon.com/whitepapers/latest/serverless-architectures-lambda/timeout.html) of 15 seconds. If a command response is not received within 15 seconds, you receive a timeout error message. If you have longer running jobs, such as AWS Lambda functions, you should invoke them asynchronously from Amazon Q Developer in chat applications. The maximum allowable Lambda function execution timeout is 900 seconds (15 minutes). For more information about asynchronous invocation, see [Asynchronous invocation](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html) in the *AWS Lambda Developer Guide*.

For example, enter the following read-only command to view a list of your Lambda functions:

`@Amazon Q lambda list-functions`

Enter the following commands to list and chart CloudWatch alarms:

`@Amazon Q cloudwatch describe-alarms --state ALARM`

You can also use CLI commands to change you AWS resources. For example, enter the following command to change your Kinesis shards:

`@Amazon Q kinesis update-shard-count --stream-name samplestream --scaling-type UNIFORM_SCALING --target-shard-count 6 `

You can enter a complete AWS CLI command with all the parameters, or you can enter the command without parameters and Amazon Q Developer in chat applications prompts you for missing parameters.

For more information on commonly used CLI commands, see [Using CLI commands with Amazon Q Developer in chat applications - Common use cases](common-use-cases.md). For an exhaustive list of CLI commands, see the [AWS CLI Command Reference](https://docs.aws.amazon.com/cli/latest/index.html).

**Note**  
If you find you are unable to run commands, you may need to switch your user role or contact your administrator to find out what actions are permissible.

The following limitations apply to running AWS CLI commands in your chat rooms:
+ You may experience some latency when invoking commands through Amazon Q Developer in chat applications.
+ Regardless of their Amazon Q Developer in chat applications role permissions, users cannot run IAM, AWS Security Token Service, or AWS Key Management Service commands within chat channels.
+ Amazon S3 service commands support Linux-style command aliases such as **ls** and **cp**. Amazon Q Developer in chat applications does not support Amazon S3 command aliases for commands in Slack.
+ Users cannot display or decrypt secret keys or key pairs for any AWS service, or pass IAM credentials.
+ You can't use AWS CLI command memory (that is, recent commands appear when the user presses up arrow or down arrow keys) in the chat channel. You must enter, or copy and paste each AWS CLI command in the chat channel.
+ You can create AWS support cases through your chat channels. You cannot add attachments to these cases from the chat channel.
+ Chat channels do not support standard AWS CLI pagination. 

# Running commands using Amazon Q Developer in chat applications
Running commands

Amazon Q Developer in chat applications tracks your use of command options and prompts you for any missing parameters before it runs the command you want. 

For example, if you enter `@Amazon Q lambda get-function` with no further arguments, you're prompted for the function name. You can run the `@Amazon Q lambda list-functions` command, find the function name you need, and re-run the first command with the corrected option. You can add more parameters for the initial command with `@Amazon Q function-name name`. Amazon Q Developer in chat applications parses your commands and helps you complete the correct syntax so it can run the complete AWS CLI command.

**Topics**
+ [

## Getting help for AWS services in Amazon Q Developer in chat applications
](#getting-help-in-the-chat-window)
+ [

## Formatting data and viewing logs in Amazon Q Developer in chat applications
](#formatting-in-the-chat-window.title)
+ [

## Displaying Amazon CloudWatch Logs information using Amazon Q Developer in chat applications
](#logs-in-the-chat-window.title)
+ [

## Creating an AWS Support case using Amazon Q Developer in chat applications
](#create-a-support-case)

## Getting help for AWS services in Amazon Q Developer in chat applications
Getting help for AWS services

To get help about commands for any AWS service, enter **@Amazon Q** followed by the service name, as shown following: 

`@Amazon Q lambda --help`

`@Amazon Q cloudwatch describe-alarms --help`

## Formatting data and viewing logs in Amazon Q Developer in chat applications
Formatting data and viewing logs

To ensure data from Amazon CloudWatch alarms is correctly formatted, attach the **Lambda-Invoke Command Permissions** and **ReadOnly Commands Permissions** IAM policies to the role in the Amazon Q Developer in chat applications console for users in the chat channel. 

Run the `cloudwatch describe-alarms` command to show CloudWatch alarms in chart form as follows: 

`@Amazon Q cloudwatch describe-alarms `

You can change the command to only include notifications in the alarm state, filtering out other notifications, by adding the following option:

`@Amazon Q cloudwatch describe-alarms --state ALARM`

To see alarms from a different AWS Region, include that Region in the command:

`@Amazon Q cloudwatch describe-alarms --state ALARM --region us-east-1`

You can also filter AWS CLI output by using the optional `query` parameter. A query uses JMESPath syntax to create an expression to filter your output to your specifications. For more information about filtering, see [Filtering AWS CLI output](https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-filter.html) in the *AWS Command Line Interface User Guide*. For more information about JMESPath syntax, see [their website](https://jmespath.org/). The following example shows how to limit AWS CLI output for the `cloudwatch describe-alarms` command to just the alarm name, description, state, and reason attributes.

```
@Amazon Q cloudwatch describe-alarms --query 
 @.{MetricAlarms:MetricAlarms[*].
 {AlarmName:AlarmName, AlarmDescription:AlarmDescription, StateValue:StateValue, 
 StateReason:StateReason, Namespace:Namespace, MetricName:MetricName, 
 Dimensions:Dimensions, ComparisonOperator:ComparisonOperator, Threshold:Threshold, 
 Period:Period, EvaluationPeriods:EvaluationPeriods, Statistic:Statistic}} 
 --region us-east-2
```

## Displaying Amazon CloudWatch Logs information using Amazon Q Developer in chat applications
Displaying Amazon CloudWatch Logs information

CloudWatch alarm notifications show buttons in chat client notifications to view logs related to the alarm. These notifications use the [CloudWatch Log Insights feature](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AnalyzingLogData.html). There may be service charges for using this feature to query and show logs.

You can view CloudWatch logs, including error logs, that are associated with the CloudWatch alarm by choosing **Show logs** at the bottom of the alarm notification. Amazon Q Developer in chat applications displays the first 30 log entries from the start of the alarm evaluation period. Amazon Q Developer in chat applications uses CloudWatch Log Insights to query for logs. The query results contain a link to the CloudWatch Log Insights console, where a user can dive deeper into logs details.

Choose **Show error logs** to filter search results to log entries containing Error, Exception, or Fail terms.

The log shows a command that a user can copy, paste, and edit to re-run the query for viewing logs.

## Creating an AWS Support case using Amazon Q Developer in chat applications
Creating AWS Support cases

The **AWS Support Command Permissions** policy appears in the Amazon Q Developer in chat applications console when you configure resources. It's provided in the Amazon Q Developer in chat applications console so that you can set up new roles for users in your chat client to create AWS support tickets through their chat channels. 

You can quickly create a new AWS support case by entering the following:

`@Amazon Q support create-case`

Follow the prompts from Amazon Q Developer in chat applications to fill out the support case with its needed parameters. When you complete the case information entry, Amazon Q Developer in chat applications asks for confirmation. You will not be able to use file attachments.

**Note**  
Amazon Q Developer in chat applications requires `UpperCamelCase` for the `--query` parameter. In `UpperCamelCase`, the first letter of every word is capitalized.

For any Amazon Q Developer in chat applications role that creates Support cases, you need to attach the **AWS Support command permissions** policy to the role. For existing roles, you will need to attach the policy in the IAM console.

In the IAM console, this policy appears as **AWSSupportAccess**. 

It is an AWS managed policy. Attach this policy in IAM to any role for Amazon Q Developer in chat applications usage. You can define your own policy with greater restrictions, using this policy as a template.

The **Support Command Permissions** policy applies only to the Support service.

The policy's JSON code is shown following:

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "support:*"
            ],
            "Resource": "*"
        }
    ]
}
```

------

# Configuring commands support on an existing chat channel using Amazon Q Developer in chat applications
Configuring commands support on an existing chat channel

If you have existing chat channels using the Amazon Q Developer in chat applications, you can reconfigure them in a few steps to support the AWS CLI.

1. [Open the Amazon Q Developer in chat applications console](https://us-east-2.console.aws.amazon.com/chatbot/home?region=us-east-2#/chat-clients).

1. In the **Configured Clients** page, select the chat client. If you have only one, its contents (the list of chat channels) appear on the page.
**Note**  
In this procedure, we assume use of an existing Amazon Q Developer in chat applications chat channel configuration. The process is very similar if you need to create a new chat client configuration by choosing **Configure new client**.

1. Choose a channel from the **Configured channels** list, and choose **Edit**. The selected channel can be public or private.

1. Define your **Role setting** by choosing a **Channel role** or **User roles**. For more information about role types, see [Role setting](understanding-permissions.md#role-settings):

------
#### [ Channel role ]

   1. For **Role setting**, choose **Channel role**.

   1. For **Channel role**, choose **Create new role**. If you want to use an existing role instead, choose **Use an existing role**. To use an existing IAM role, you will need to modify it for use with Amazon Q Developer in chat applications. For more information, see [Configuring an IAM Role for Amazon Q Developer in chat applications](editing-iam-roles-for-chatbot.md).

   1. For **Role name**, enter a name. Valid characters: a-z, A-Z, 0-9, .\$1w\$1=,.@-\$1.

   1. For **Role policy template**, choose **Read Only command permissions** and **Lambda-Invoke command permissions**.
**Note**  
If you plan to have users of the role submit Support cases, also attach the **AWS Support command permissions** policy.
If you want the role to allow users to manage incidents, add the **Incident Manager Permissions** policy.

------
#### [ User roles ]

   1. For **Role setting**, choose **User roles**.

------

1. Select the policies that will make up your [channel guardrail policies](understanding-permissions.md#channel-guardrails). Your channel guardrail policies control what actions are available to your channel members.
**Note**  
If you initially had permission to run Lambda invoke, it is contained in **All actions permitted**.
**Note**  
To run most CLI commands from your Slack channel, ensure you select **All actions permitted**.
**Note**  
You do not need to edit or change the Amazon SNS topics configuration for the chat channel.

1. Choose **Save**.

   You can use the IAM console to modify an existing IAM role. By simply attaching the three additional Amazon Q Developer in chat applications policies to the IAM role, users of that role can immediately begin using commands in the chat channel. To do so, see [Configuring an IAM Role for Amazon Q Developer in chat applications](editing-iam-roles-for-chatbot.md).

**Important**  
If you have a large number of chat channels and you want to have the same command permissions across multiple channels, you can apply the configured Amazon Q Developer in chat applications role to any of your other chat channels without further modification. The IAM policies will be consistent across chat channels that support commands in your Amazon Q Developer in chat applications service.

# Enabling multiple accounts to use commands using Amazon Q Developer in chat applications
Enabling multiple accounts to use commands

You can configure Amazon Q Developer in chat applications for multiple AWS accounts in the same chat channel. When you work with Amazon Q Developer in chat applications for the first time in that channel, it asks you which account you want to use. Amazon Q Developer in chat applications remembers the account selection for 7 days.

To change the default account in the channel, enter `@Amazon Q set default-account` and select the account from the list.