Principal role ARNs Action configuration CLI example

Adding a data accessor using the AWS CLI

In order to add an ISV as a data accessor you will need to call 3 APIs. First, the CreateDataAccessor API operation will create a data accessor and associate your application ID. AssociatePolicy operation API to attach the resource based policy for cross account API calls. Finally, you will set your user assignment for the Identity and Access Management (IAM) Identity Data Center (IDC) application environment with PutApplicationAssignment API. For granular user access control, use the Amazon Q Business console.

Prerequisite for both Auth code and TTI configurations.

tenantID

The tenantID is a unique identifier for your application tenant. Each application might have different terms for a tenant such as Workspace ID for Slack or Domain ID for Asana. You can review the Prerequisites page to see how to retrieve the TenantId for your application.

ISV data accessor principal role ARNs for the CreateDataAccessor API

The following are the principal role ARNs for the supported ISVs:

Asana — arn:aws:iam::920372999046:role/autogen_role_customer-facing-integrations_q_biz_data_accessor
Miro — arn:aws:iam::419356813857:role/AwsQBusinessMiroRetrievalRole
Zoom — arn:aws:iam::787345941828:role/zoom-ai-q-business-retrieval-role
PagerDuty — arn:aws:iam::748801462010:role/terraform/pagerduty-isv-qretriever-dataaccessor-role

Action configuration (JSON) example for the CreateDataAccessor API

action — Only qbusiness:SearchRelevantContent is supported now
filterConfiguration: Specifies the data source id of the Amazon Q application environment. The ISV will only have access to the data from the specified data source id. If there is no data source id specified, the ISV will have access to all the data sources.



# CreateDataAccessor actionConfigurations example
[
   {
        "action": "qbusiness:SearchRelevantContent",
        "filterConfiguration": {
        "documentAttributeFilter": {
          "equalsTo": {
            "name": "_data_source_id",
            "value": {
              "stringValue": "your_datasource_id"
            }
          }
        }
      }
   }
]

CLI example

The following CLI example shows how to create a data accessor and associate the necessary permissions with all end users enabled for this data accessor:



aws qbusiness create-data-accessor \
 --application-id ${qbusiness_application_id} \
 --principal ${isv_data_accessor_role_arn} \
 --action-configurations  ${action_configuration} \
 --display-name ${qbusiness_data_accessor_name} \
 --authentication-detail ${authentication_detail} 

aws qbusiness associate-permission \
 --application-id ${qbusiness_application_id} \
 --statement-id ${statement_id} \
 --actions ${actions} \
 --principal ${isv_data_accessor_role_arn} \
 --conditions ${conditions} 
 
aws sso-admin put-application-assignment-configuration \
 --application-arn ${qbusiness_data_accessor_idc_application_arn}\
 --no-assignment-required\
 --region ${idc_region}

The following CLI example shows how to add authentication details in your request:



# For tti based dataaccessor
"authenticationDetail": {
    "authenticationType": "AWS_IAM_IDC_TTI",
    "authenticationConfiguration": {
        "idcTrustedTokenIssuerConfiguration": {
            "idcTrustedTokenIssuerArn": "${IDC trusted token issuer created using ISV issuer URL}"
        }
    },
    "externalIds": [
        "${ISV tenantId}"
    ]
}

# For Authcode based dataaccessor
"authenticationDetail": {
    "authenticationType": "AWS_IAM_IDC_AUTH_CODE",
    "externalIds": [
        "${ISV tenantId}"
    ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Using the Console

Completing the process