Prerequisites One-time setup Workflow for each API call session

Making authenticated Amazon Q Business API calls for application environment supporting anonymous access

Amazon Q Business can securely handle data with integrated authentication and authorization. In order to achieve this, a subset of the Amazon Q Business APIs (Chat, ChatSync, and PutFeedback) require identity-unaware AWS Sig V4 credentials for the API call that is being made.

Prerequisites

Before you begin setting up for making Sig V4 authenticated API calls for anonymous application environments, make sure you've done the following:

Created an Amazon Q Business anonymous application environment.
Configured access to the AWS CLI.

One-time setup

The following section outlines the steps to set up the Amazon Q Business access for application environment that support anonymous access. You only need to perform these steps once.

Create a directory named policies.

Then, in the same directory, create and save a file named permspolicyforAPIanonymous.json with the following JSON.

API permissions policy


{
    "Version": "2012-10-17",
    "Statement": [{
            "Sid": "QBusinessAnonymousConversationAPIPermissions",
            "Effect": "Allow",
            "Action": [
                "qbusiness:Chat",
                "qbusiness:ChatSync",
                "qbusiness:PutFeedback"
            ],
            "Resource": "arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}"
        }]
}

Finally, create and attach the policy using the following commands in the AWS CLI.

Create and attach policy
```
aws iam \
create-role \
--role-name 
--policy-document file://policies/permspolicyforAPIanonymous.json
```

Workflow for each API call session

First, call the AssumeRole API to get AWS credentials. To do so, use the following command:
```
aws sts
assume-role
--role-arn role arn
--role-session-name session-name
```
Then, set the following environment variables in your command line environment using the credentials you received as a response from the AssumeRole API call.
```
AWS_ACCESS_KEY_ID="sigv4-access-key"
AWS_SECRET_ACCESS_KEY="sigv4-secret-key"
AWS_SESSION_TOKEN="sigv4-session-token"
```
Then, make Amazon Q Business API calls using the following command:
```
aws qbusiness \
chat-sync \
--application-id application-id
--user-message sample-chat-request
```

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Creating anonymous access application

Managing resources