Adding a data accessor using the AWS CLI
In order to add an ISV as a data accessor you will need to call 3 APIs. First, the
CreateDataAccessor
API operation will create a data accessor and
associate your application ID. AssociatePolicy
operation API to attach
the resource based policy for cross account API calls. Finally, you will set your
user assignment for the Identity and Access Management (IAM) Identity Data Center
(IDC) application environment with PutApplicationAssignment
API. For granular
user access control, use the Amazon Q Business console.
Prerequisite for both Auth code and TTI configurations.
tenantID
The tenantID
is a unique identifier for your
application tenant. Each application might have different terms
for a tenant such as Workspace ID for Slack or Domain ID for
Asana. You can review the Prerequisites page to see how to retrieve the TenantId
for your application.
ISV data accessor principal role ARNs for the CreateDataAccessor API
The following are the principal
role ARNs for the supported
ISVs:
-
Asana —
arn:aws:iam::920372999046:role/autogen_role_customer-facing-integrations_q_biz_data_accessor
-
Miro —
arn:aws:iam::419356813857:role/AwsQBusinessMiroRetrievalRole
-
Zoom —
arn:aws:iam::787345941828:role/zoom-ai-q-business-retrieval-role
-
PagerDuty —
arn:aws:iam::748801462010:role/terraform/pagerduty-isv-qretriever-dataaccessor-role
Action configuration (JSON) example for the CreateDataAccessor API
-
action
— Onlyqbusiness:SearchRelevantContent
is supported now -
filterConfiguration
: Specifies the data source id of the Amazon Q application environment. The ISV will only have access to the data from the specified data source id. If there is no data source id specified, the ISV will have access to all the data sources.
# CreateDataAccessor actionConfigurations example [ { "action": "qbusiness:SearchRelevantContent", "filterConfiguration": { "documentAttributeFilter": { "equalsTo": { "name": "_data_source_id", "value": { "stringValue": "your_datasource_id" } } } } } ]
CLI example
The following CLI example shows how to create a data accessor and associate the necessary permissions with all end users enabled for this data accessor:
aws qbusiness create-data-accessor \ --application-id ${qbusiness_application_id} \ --principal ${isv_data_accessor_role_arn} \ --action-configurations ${action_configuration} \ --display-name ${qbusiness_data_accessor_name} \ --authentication-detail ${authentication_detail} aws qbusiness associate-permission \ --application-id ${qbusiness_application_id} \ --statement-id ${statement_id} \ --actions ${actions} \ --principal ${isv_data_accessor_role_arn} \ --conditions ${conditions} aws sso-admin put-application-assignment-configuration \ --application-arn ${qbusiness_data_accessor_idc_application_arn}\ --no-assignment-required\ --region ${idc_region}
The following CLI example shows how to add authentication details in your request:
# For tti based dataaccessor "authenticationDetail": { "authenticationType": "AWS_IAM_IDC_TTI", "authenticationConfiguration": { "idcTrustedTokenIssuerConfiguration": { "idcTrustedTokenIssuerArn": "${IDC trusted token issuer created using ISV issuer URL}" } }, "externalIds": [ "${ISV tenantId}" ] } # For Authcode based dataaccessor "authenticationDetail": { "authenticationType": "AWS_IAM_IDC_AUTH_CODE", "externalIds": [ "${ISV tenantId}" ] }