IAM roles and trust policy for your integrations - Amazon Q Business
Allow Integration AccessAllow Amazon Q Business to MonitorTrust Policy

IAM roles and trust policy for your integrations

In order for your integrations to work, you will need to add the following two IAM roles as part of your configuration.

Note

IAM roles and trust policy are not required for using browser extensions.

IAM role for allowing the integration to call Amazon Q Business on your end user's behalf

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "QBusinessConversationPermissions",
            "Effect": "Allow",
            "Action": [
                "qbusiness:Chat",
                "qbusiness:ChatSync",
                "qbusiness:PutFeedback",
                "qbusiness:DeleteConversation",
                "qbusiness:ListAttachments",
                "qbusiness:DeleteAttachment"
            ],
            "Resource": "arn:aws:qbusiness:us-east-1:111122223333:application/application-id"
        },
        {
            "Sid": "QBusinessKMSDecryptPermissions",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:kms:us-east-1:111122223333:key/[[key_id]]"
            ],
            "Condition": {
                "StringLike": {
                    "kms:ViaService": [
                        "qbusiness.us-east-1.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "QBusinessSetContextPermissions",
            "Effect": "Allow",
            "Action": [
                "sts:SetContext"
            ],
            "Resource": [
                "arn:aws:sts::*:self"
            ],
            "Condition": {
                "StringLike": {
                    "aws:CalledViaLast": [
                        "qbusiness.amazonaws.com"
                    ]
                }
            }
        }
    ]
}

IAM role for allowing Amazon Q Business to monitor the resources that the integration creates in your account

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "QBusinessIdCInstanceReadOnlyPermissions",
            "Effect": "Allow",
            "Action": [
                "sso:ListApplications"
            ],
            "Resource": "arn:aws:sso:::instance/idc-instance-id"
        },
        {
            "Sid": "QBusinessIdCInstanceApplicationReadOnlyPermissions",
            "Effect": "Allow",
            "Action": [
                "sso:ListApplicationAccessScopes",
                "sso:GetApplicationAssignmentConfiguration",
                "sso:GetApplicationGrant",
                "sso:GetApplicationAuthenticationMethod"
            ],
            "Resource": "arn:aws:sso::111122223333:application/idc-instance-id/*"
        }
    ]
}

IAM trust policy for your integrations

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "QBusinessTrustPolicy",
            "Effect": "Allow",
            "Principal": {
                "Service": "integrations.qbusiness.amazonaws.com"
            },
            "Action": [
                "sts:AssumeRole",
                "sts:SetContext"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "111122223333"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:qbusiness:us-east-1:111122223333:application/application-id"
                }
            }
        }
    ]
}