AWS Chatbot is now Amazon Q Developer. [Learn more](service-rename.md) # Identity and Access Management for Amazon Q Developer in chat applications AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use Amazon Q Developer resources. IAM is an AWS service that you can use with no additional charge. ## Audience How you use AWS Identity and Access Management (IAM) differs based on your role: + **Service user** - request permissions from your administrator if you cannot access features (see [Troubleshooting Amazon Q Developer in chat applications identity and access](security_iam_troubleshoot.md)) + **Service administrator** - determine user access and submit permission requests (see [How Amazon Q Developer in chat applications works with IAM](#security_iam_service-with-iam)) + **IAM administrator** - write policies to manage access (see [Identity-based policies for Amazon Q Developer in chat applications](security_iam_service-with-iam-id-based-policies.md#security_iam_id-based-policy-examples)) ## How Amazon Q Developer in chat applications works with IAM Before you use IAM to manage access to Amazon Q Developer, you should understand which IAM features are available to use with Amazon Q Developer. The following subsections introduce each IAM capability supported by Amazon Q Developer in chat applications, point you to further information about how to use them, and describe the IAM capabilities that Amazon Q Developer in chat applications doesn't support. To get a high-level view of how Amazon Q Developer and other AWS services work with IAM, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*. For an overview of IAM and its features, see [Understanding How IAM Works](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html) in the *IAM User Guide*. **Topics** + [ ### Identity-based policies and Amazon Q Developer in chat applications ](#identity-based-policies-use-in-chatbot) + [ ### Resource-level permissions and Amazon Q Developer in chat applications ](#resource-based-policies-use-in-chatbot) + [ ### Condition keys and Amazon Q Developer in chat applications ](#security_iam_service-with-iam-id-based-policies-conditionkeys) + [ ### Using temporary credentials with Amazon Q Developer ](#security_iam_service-with-iam-roles-tempcreds) + [ ### Service-linked roles ](#security_iam_service-with-iam-roles-service-linked) + [ ### Service roles ](#security_iam_service-with-iam-roles-service) + [ ### Other policy types ](#security-iam-other-policies) ### Identity-based policies and Amazon Q Developer in chat applications Amazon Q Developer in chat applications supports the use of IAM identity-based policies for service usage and management. An AWS Identity and Access Management (IAM) *policy* is a document that defines the permissions that apply to an IAM user, group, or role. The permissions determine what users can do in AWS. A policy typically allows access to specific actions, and can optionally grant that the actions are allowed for specific resources, like Amazon Simple Notification Service (Amazon SNS) notifications. Policies can also explicitly deny access. *Identity-based policies* are attached to an IAM user, group, or role (identity). These policies let you specify what that AWS identity can do (its permissions). For example, you can attach an identity policy to the IAM user named adesai, to allow that user to perform the Amazon Q Developer in chat applications `DescribeSlackChannels` action. For information about, and examples of, using identity-based policies with Amazon Q Developer in chat applications, see [Amazon Q Developer Identity-Based Policies](security_iam_service-with-iam-id-based-policies.md). For more general information about how IAM identity-based policies work, see [Identity vs. Resource](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html) in the *IAM User Guide*. ### Resource-level permissions and Amazon Q Developer in chat applications *Resource-level permissions* are JSON policy statements that specify the AWS resources on which associated IAM entities can perform actions. ** You define a resource-level permission in an IAM policy, then attach the policy to a user's AWS account or to any other IAM entity. The users then have permission to access that resource. Resource-level permissions differ from IAM* resource-based policies* because you attach complete resource-based policies directly to an AWS resource. When you customize IAM policies for users to work with the Amazon Q Developer in chat applications service, one of your primary options for policy editing is to configure resource-based permissions for your policies. Amazon Q Developer in chat applications supports resource-level permissions, but not resource-based policies. For more information about how IAM resource-level permissions work with Amazon Q Developer in chat applications, see [IAM Resource-Level Permissions for Amazon Q Developer in chat applications](security_iam_service-with-iam-resource-based-policies.md). ### Condition keys and Amazon Q Developer in chat applications Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**. The `Condition` element specifies when statements execute based on defined criteria. You can create conditional expressions that use [condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as equals or less than, to match the condition in the policy with values in the request. To see all AWS global condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*. Amazon Q Developer doesn't define any service-specific condition keys. It supports global condition keys. To see all actions and resources for which Amazon Q Developer in chat applications can use global condition keys, see [Actions, Resources, and Condition Keys for Amazon Q Developer in chat applications](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awschatbot.html#awschatbot-policy-keys) in the *IAM User Guide*. For more information about AWS global condition keys, see [AWS Global Condition Context Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*. ### Using temporary credentials with Amazon Q Developer You can use temporary credentials to sign in with federation, assume an IAM role, or assume a cross-account role. You obtain temporary security credentials by calling AWS Security Token Service (AWS STS) API operations, such as [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) or [GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html). Amazon Q Developer supports using temporary credentials. For more information about defining and using temporary IAM credentials, see [Temporary Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) in the *IAM User Guide*. ### Service-linked roles [Service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role) allow AWS services to access resources in other services to complete an action on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An IAM administrator can view, but can't edit the permissions for service-linked roles. ### Service roles Amazon Q Developer supports service roles. This feature allows a service to assume a [service role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-role) on your behalf. This role allows the service to access resources in other services to complete an action on your behalf. Service roles appear in your IAM account and are owned by the account. This means that an IAM administrator can change the permissions for this role. However, doing so might prevent the service from functioning as expected. ### Other policy types AWS supports additional, less common policy types. These policy types can set the maximum permissions granted to you by the more common policy types. + **AWS Organizations service control policies (SCPs)** - SCPs are JSON policies that specify the maximum permissions for an organization or organizational unit (OU) in AWS Organizations. AWS Organizations is a service for grouping and centrally managing multiple AWS accounts that your business owns. If you enable all features in an organization, then you can apply service control policies (SCPs) to any or all of your accounts. The SCP limits permissions for entities in member accounts, including each AWS account root user. For more information about Organizations and SCPs, see [How SCPs Work](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_about-scps.html) in the *AWS Organizations User Guide*. + **IAM account settings** - With IAM, you can use AWS Security Token Service (AWS STS) to create and provide trusted users with temporary security credentials that can control access to your AWS resources. When you activate STS endpoints for a Region, AWS STS can issue temporary credentials to users and roles in your account that make an AWS STS request. Those credentials can then be used in any Region that is enabled by default or is manually enabled. You must activate the Region in the account where the temporary credentials are generated. It does not matter whether a user is signed into the same account or a different account when they make the request. For more information, see [Activating and deactivating AWS STS in an AWS Region](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-activate-deactivate) in the *IAM User Guide*. **Note** Amazon Q Developer in chat applications is a global service that requires access to all AWS Regions. If there is a policy in place that prevents access to services in certain Regions, you must change the policy to allow global Amazon Q Developer in chat applications access. # IAM policies for Amazon Q Developer in chat applications This section describes the IAM permissions and policies that Amazon Q Developer in chat applications uses to secure its operations with other AWS services. Amazon Q Developer in chat applications uses these permissions to safely forward Amazon SNS notifications to chat rooms, support AWS CLI commands sessions in Slack, invoke Lambda functions, and create AWS support tickets directly in the Slack console. You can also define your own custom policies for the same purposes, using these policies as templates. When you create a new role in the Amazon Q Developer in chat applications console, any of the IAM policies described in this topic might be assigned to that role. You could apply all of them to a single role, or choose only a couple of them based on how the users of that role will use the Amazon Q Developer in chat applications. Some policies contain a superset of permissions of other policies. **Topics** + [ ## AWS managed IAM policies in Amazon Q Developer in chat applications ](#aws-managed-policies-for-chatbot) + [ ## Customer managed IAM policies in Amazon Q Developer in chat applications ](#user-managed-chatbot-iam-policies) ## AWS managed IAM policies in Amazon Q Developer in chat applications Amazon Q Developer in chat applications supports the following AWS managed IAM policies: + [**ReadOnlyAccess**](#read-only-access-managed-policy) + [**CloudWatchReadOnlyAccess**](#CloudwatchReadOnlyAccess-policy-for-chatbot) + [**AWS Support Command Permissions Policy**](#chatbot_support_policy) + [**Amazon Q Permissions policy**](#chatbot_qdev_policy) + [**Amazon Q Operations Assistant Permissions policy**](#chatbot_ops_policy) + [**Resource Explorer Permissions policy**](#resource-explorer_policy) + [**Incident Manager Permissions policy**](#incident-manager_policy) AWS managed policies are available to all Amazon Q Developer in chat applications users, but you can't change or edit them. You can copy them and use them as templates for your own policies, knowing that you are using AWS-approved policy language to build your own policies. Amazon Q Developer in chat applications adheres to standard IAM practices for using admin IAM accounts to activate and use the Amazon Q Developer in chat applications service. As a convenience, Amazon Q Developer in chat applications also supports the creation of new IAM roles directly in the Amazon Q Developer in chat applications console. However, to configure existing IAM entities to use Amazon Q Developer in chat applications, you need to use the IAM console. ### The IAM ReadOnlyAccess policy The **ReadOnlyAccess** policy is an AWS managed policy that is automatically assigned to roles in the Amazon Q Developer in chat applications service. This policy does not appear in the Amazon Q Developer in chat applications console. It defines Get, List, and Describe permissions for the entire suite of AWS services, enabling Amazon Q Developer in chat applications to use this role to access any of those services on your behalf. You can attach this policy to new roles in IAM, or use it as a template to define your own, more restrictive policy. **Note** Amazon Q Developer in chat applications must use a role that defines all the read-only permissions necessary for its usage. You can define a policy to be more restrictive or specify fewer services than the policy described here, and use that in place of the **ReadOnlyAccess** policy. However, you must ensure that all CloudWatch and Amazon SNS read-only permissions remain in your policy, or some CloudWatch features may not work with Amazon Q Developer in chat applications. The policy also must provide Get, List, and Describe permissions for services supported by Amazon Q Developer in chat applications. The policy's JSON code is shown following: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "a4b:Get*", "a4b:List*", "a4b:Search*", "acm:Describe*", "acm:Get*", "acm:List*", "acm-pca:Describe*", "acm-pca:Get*", "acm-pca:List*", "amplify:GetApp", "amplify:GetBranch", "amplify:GetJob", "amplify:GetDomainAssociation", "amplify:ListApps", "amplify:ListBranches", "amplify:ListDomainAssociations", "amplify:ListJobs", "xray:BatchGet*", "xray:Get*" ], "Effect": "Allow", "Resource": "*" } ] } ``` ------ ### The CloudWatchReadOnlyAccess policy You can attach the **CloudWatchReadOnlyAccess** policy to Amazon Q Developer in chat applications roles when you edit them in the IAM console. This policy does not appear in the Amazon Q Developer in chat applications console. It is an AWS managed policy. You can attach this policy to any role for Amazon Q Developer in chat applications usage. You can define your own policy with greater restrictions, using this policy as a template. Amazon Q Developer in chat applications users can use this policy to support Amazon CloudWatch events reporting, alarms, CloudWatch logs, and CloudWatch trend charts for most of Amazon Q Developer in chat applications's supported AWS services. It allows read-only operations for CloudWatch Logs and the Amazon Simple Notification Service service, and can be used in place of the customer managed [**Notification permissions policy**](#read-only-notifications-policy). However, you must use the IAM console to attach this policy to any IAM role. The Logs permissions also support the useful **Show Logs** feature for CloudWatch alarms notifications in Slack. Amazon Q Developer in chat applications also supports actions for displaying logs for Lambda and Amazon API Gateway. The policy's JSON code is shown following: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "autoscaling:Describe*", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "logs:Get*", "logs:List*", "logs:Describe*", "logs:TestMetricFilter", "logs:FilterLogEvents", "sns:Get*", "sns:List*" ], "Effect": "Allow", "Resource": "*" } ] } ``` ------ ### The AWS Support Command Permissions policy The **AWS Support Command Permissions** policy appears in the Amazon Q Developer in chat applications console when you configure resources. It's provided in the Amazon Q Developer in chat applications console to conveniently set up a role, to allow Slack users to create AWS support tickets through their Slack channels. In the IAM console, this policy appears as **AWSSupportAccess**. It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer in chat applications. The **Support Command Permissions** policy applies only to the Support service. The policy's JSON code is shown following: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "support:*" ], "Resource": "*" } ] } ``` ------ ### The Amazon Q Permissions policy The **Amazon Q Permissions** policy appears in the Amazon Q Developer in chat applications console when you configure your **Permissions**. This policy provides full access to enable interactions with Amazon Q, including administrator access. It includes access to log in with IAM Identity Center to access Amazon Q through an Amazon Q Developer Pro subscription. For more information, see [AmazonQFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonQFullAccess.html) in the *AWS Managed Policy Reference Guide*. In the IAM console, this policy appears as **AmazonQFullAccess**. It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer in chat applications. The policy's JSON code is shown following: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement" : [ { "Sid" : "AllowAmazonQFullAccess", "Effect" : "Allow", "Action" : [ "q:StartConversation", "q:SendMessage", "q:GetConversation", "q:ListConversations", "q:PassRequest", "q:StartTroubleshootingAnalysis", "q:GetTroubleshootingResults", "q:StartTroubleshootingResolutionExplanation", "q:UpdateTroubleshootingCommandResult", "q:GetIdentityMetadata", "q:CreateAssignment", "q:DeleteAssignment", "q:GenerateCodeFromCommands", "q:CreatePlugin", "q:DeletePlugin", "q:GetPlugin", "q:UsePlugin", "q:ListPlugins", "q:ListPluginProviders", "q:ListTagsForResource", "q:UntagResource", "q:TagResource" ], "Resource" : "*" }, { "Sid" : "AllowCloudControlReadAccess", "Effect" : "Allow", "Action" : [ "cloudformation:GetResource", "cloudformation:ListResources" ], "Resource" : "*" }, { "Sid" : "AllowSetTrustedIdentity", "Effect" : "Allow", "Action" : [ "sts:SetContext" ], "Resource" : "arn:aws:sts::*:self" }, { "Sid" : "AllowPassRoleToAmazonQ", "Effect" : "Allow", "Action" : [ "iam:PassRole" ], "Resource" : "arn:aws:iam::*:role/*", "Condition" : { "StringEquals" : { "iam:PassedToService" : [ "q.amazonaws.com" ] } } } ] } ``` ------ ### The Amazon Q Operations Assistant Permissions policy The **Amazon Q Operations Assistant Permissions** policy appears in the Amazon Q Developer in chat applications console when you configure your **Permissions**. This policy enables Amazon Q to analyze your AWS resources during investigations of operational events. this policy is scoped based on the resources that Amazon Q Developer supports during investigations, and is updated as more resources are supported. For more information, see [AIOpsOperatorAccess](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html#managed-policies-QInvestigations-AIOpsAssistant) in the *Amazon CloudWatch User Guide*. In the IAM console, this policy appears as **AIOpsOperatorAccess**. It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer in chat applications. The policy's JSON code is shown following: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AIOpsOperatorAccess", "Effect": "Allow", "Action": [ "aiops:CreateInvestigation", "aiops:CreateInvestigationEvent", "aiops:CreateInvestigationResource", "aiops:DeleteInvestigation", "aiops:Get*", "aiops:List*", "aiops:UpdateInvestigation", "aiops:UpdateInvestigationEvent" ], "Resource": "*" }, { "Sid": "SSOManagementAccess", "Effect": "Allow", "Action": [ "identitystore:DescribeUser", "sso:DescribeInstance", "sso-directory:DescribeUsers" ], "Resource": "*" }, { "Sid": "AllowSTSContextSetting", "Effect": "Allow", "Action": [ "sts:SetContext" ], "Resource": "arn:aws:sts::*:self" }, { "Sid": "SSMSettingServiceIntegration", "Effect": "Allow", "Action": [ "ssm:GetServiceSetting" ], "Resource": "arn:aws:ssm:*:*:servicesetting/integrations/*" }, { "Sid": "SSMIntegrationTagAccess", "Effect": "Allow", "Action": [ "ssm:AddTagsToResource", "ssm:CreateOpsItem" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/Integration": [ "CloudWatch" ] }, "ForAllValues:StringEquals": { "aws:TagKeys": "Integration" } } }, { "Sid": "SSMOpsItemIntegration", "Effect": "Allow", "Action": [ "ssm:DeleteOpsItem", "ssm:UpdateOpsItem" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/Integration": [ "CloudWatch" ] } } }, { "Sid": "SSMTagOperation", "Effect": "Allow", "Action": [ "ssm:AddTagsToResource" ], "Resource": "arn:aws:ssm:*:*:opsitem/*", "Condition": { "StringEquals": { "aws:ResourceTag/Integration": [ "CloudWatch" ] }, "ForAllValues:StringEquals": { "aws:TagKeys": "Integration" } } }, { "Sid": "SSMOpsSummaryIntegration", "Effect": "Allow", "Action": [ "ssm:GetOpsSummary" ], "Resource": "*" } ] } ``` ------ ### The Resource Explorer Permissions policy The **Resource Explorer Permissions** policy appears in the Amazon Q Developer in chat applications console when you configure your **Permissions**. This policy grants Amazon Q read-only access to permissions to search for and view Resource Explorer resources. For more information, see [AWSResourceExplorerReadOnlyAccess](https://docs.aws.amazon.com/resource-explorer/latest/userguide/security_iam_awsmanpol.html#security_iam_awsmanpol_AWSResourceExplorerReadOnlyAccess) in the *AWS Resource Explorer User Guide*. In the IAM console, this policy appears as **AWSResourceExplorerReadOnlyAccess**. It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer in chat applications. The policy's JSON code is shown following: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement" : [ { "Sid" : "ResourceExplorerReadOnlyAccess", "Effect" : "Allow", "Action" : [ "resource-explorer-2:Get*", "resource-explorer-2:List*", "resource-explorer-2:Search", "resource-explorer-2:BatchGetView", "ec2:DescribeRegions", "ram:ListResources", "ram:GetResourceShares", "organizations:DescribeOrganization" ], "Resource" : "*" } ] } ``` ------ ### Incident Manager permissions policy The **Incident Manager permissions** policy appears in the Amazon Q Developer in chat applications console when you configure your **Permissions**. This policy enables Amazon Q to start, view, and update incidents. This also allows Amazon Q Developer to create customer timeline events and related items in the incident dashboard. For more information, see [AWSIncidentManagerResolverAccess](https://docs.aws.amazon.com/incident-manager/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AWSIncidentManagerResolverAccess) in the *Incident Manager User Guide*. In the IAM console, this policy appears as **AWSIncidentManagerResolverAccess**. It is an AWS managed policy. You can also attach this policy in IAM to any role. You can define your own policy with greater restrictions, using this policy as a template, for roles in Amazon Q Developer in chat applications. The policy's JSON code is shown following: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "StartIncidentPermissions", "Effect": "Allow", "Action": [ "ssm-incidents:StartIncident" ], "Resource": "*" }, { "Sid": "ResponsePlanReadOnlyPermissions", "Effect": "Allow", "Action": [ "ssm-incidents:ListResponsePlans", "ssm-incidents:GetResponsePlan" ], "Resource": "*" }, { "Sid": "IncidentRecordResolverPermissions", "Effect": "Allow", "Action": [ "ssm-incidents:ListIncidentRecords", "ssm-incidents:GetIncidentRecord", "ssm-incidents:UpdateIncidentRecord", "ssm-incidents:ListTimelineEvents", "ssm-incidents:CreateTimelineEvent", "ssm-incidents:GetTimelineEvent", "ssm-incidents:UpdateTimelineEvent", "ssm-incidents:DeleteTimelineEvent", "ssm-incidents:ListRelatedItems", "ssm-incidents:UpdateRelatedItems" ], "Resource": "*" } ] } ``` ------ ## Customer managed IAM policies in Amazon Q Developer in chat applications Amazon Q Developer in chat applications also supports three service-provided customer managed IAM policies, that you can apply to any Amazon Q Developer in chat applications role. They can also be used as templates for defining custom IAM permissions for your users: + [**ReadOnly Command Permissions policy**](#read-only-policy-for-cli) + [**Lambda-Invoke Command Permissions policy**](#lambda-invoke-policy-for-chatbot-cli) + [**Notification permissions policy**](#read-only-notifications-policy) ### The Amazon Q Developer in chat applications Read-Only Command Permissions IAM policy The **Read-Only Command Permissions** policy appears in the Amazon Q Developer in chat applications console when you configure resources. You use this policy to support AWS commands and actions in Slack channels. It is a customer managed policy. It pairs with the [**Lambda-Invoke Command Permissions** policy](#lambda-invoke-policy-for-chatbot-cli) to provide a convenient Amazon Q Developer in chat applications configuration to enable Slack channel support for sending commands to the AWS CLI. The **Read-Only Command Permissions** policy denies permission for Amazon Q Developer in chat applications users to get sensitive information from AWS services through the Slack channel, such as Amazon EC2 password information, key pairs and login credentials. This policy appears in the IAM console as the **AWS-Chatbot-ReadOnly-Commands-Policy**. You can edit and assign this policy to any role in Amazon Q Developer in chat applications or in IAM. For editing of roles and policies for Amazon Q Developer in chat applications usage, we recommend using the IAM console. **Note** If you want to use this policy as a template, we recommend saving a new copy of the policy under a different name and making your changes there. For your team's command usage in Slack channels, you must use a role that defines the necessary read-only permissions. The policy's JSON code is shown following: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "iam:*", "s3:GetBucketPolicy", "ssm:*", "sts:*", "kms:*", "cognito-idp:GetSigningCertificate", "ec2:GetPasswordData", "ecr:GetAuthorizationToken", "gamelift:RequestUploadCredentials", "gamelift:GetInstanceAccess", "lightsail:DownloadDefaultKeyPair", "lightsail:GetInstanceAccessDetails", "lightsail:GetKeyPair", "lightsail:GetKeyPairs", "redshift:GetClusterCredentials", "storagegateway:DescribeChapCredentials" ], "Resource": [ "*" ] } ] } ``` ------ ### The Amazon Q Developer in chat applications Lambda-Invoke Command Permissions policy The **Lambda-Invoke Command Permissions** policy appears in the Amazon Q Developer in chat applications console when you configure resources. It pairs with the [**Read-Only Command Permissions** policy](#read-only-policy-for-cli) to provide a convenient Amazon Q Developer in chat applications configuration to enable Slack channel access to the AWS CLI, and to features that make sense for CLI use. The policy allows Amazon Q Developer in chat applications users to invoke Lambda functions in their Slack channels. It is a customer managed policy. In the IAM console, it appears as **AWS-Chatbot-LambdaInvoke-Policy**. You can edit and assign this policy to any role in Amazon Q Developer in chat applications or in IAM. By default, the **Lambda-Invoke** policy is very permissive, because you can invoke any function for any action. We recommend using this policy as a template to define your own, more restrictive policies, such as permissions to invoke functions developed for your DevOps team that only they should be able to invoke, and deny permissions to invoke Lambda functions for any other purpose. To edit roles and policies for Amazon Q Developer in chat applications, use the IAM console. The policy's JSON code is shown following: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lambda:invokeAsync", "lambda:invokeFunction" ], "Resource": [ "*" ] } ] } ``` ------ ### The Amazon Q Developer in chat applications Notification Permissions IAM policy The **Notification Permissions** policy appears in the Amazon Q Developer in chat applications console when you configure resources. It provides the minimum usable IAM policy configuration for using the Amazon Q Developer in chat applications in Slack channels and Amazon Chime webhooks. The **Notification Permissions** policy enables Amazon Q Developer in chat applications admins to forward CloudWatch Events, CloudWatch alarms, and format charting data for viewing in chat room messages. Because many of Amazon Q Developer in chat applications's supported services use CloudWatch as their event and alarm processing layer, Amazon Q Developer in chat applications requires this policy for core functionality. You can use other policies, such as [**CloudWatchReadOnlyAccess**](#CloudwatchReadOnlyAccess-policy-for-chatbot), in place of this policy, but you must attach that policy to the role in the IAM console. It is a customer managed policy. You can edit and assign this policy to any role for Amazon Q Developer in chat applications usage. **Note** If you want to use this policy as a template, we recommend saving a new copy of the policy under a different name and making your changes there. In the IAM console, it appears as **AWS-Chatbot-NotificationsOnly-Policy**. The policy's JSON code is shown following: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*" ], "Effect": "Allow", "Resource": "*" } ] } ``` ------ # Identity-based IAM policies for Amazon Q Developer A policy is an object in AWS that, when you attach it to an identity, defines their permissions. When you create a policy to restrict or allow access to a resource, you can use an identity-based policy. You can attach IAM identity-based policies to IAM entities such as a user in your AWS account, an IAM group, or an IAM role. You can define allowed or denied actions and resources, and the conditions under which actions are allowed or denied. Amazon Q Developer supports specific actions, resources, and condition keys. **Note** To learn about all of the elements that you use in a JSON policy, see [IAM JSON Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*. For information about the specific IAM JSON policy elements that Amazon Q Developer in chat applications supports, see [Actions, Resources, and Condition Keys for Amazon Q Developer in chat applications](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awschatbot.html#awschatbot-policy-keys) in the *IAM User Guide*. **Topics** + [ ## Identity-based policies for Amazon Q Developer in chat applications ](#security_iam_id-based-policy-examples) + [ ## Identity-based policy best practices ](#security_iam_service-with-iam-policy-best-practices) + [ ## Applying Amazon Q Developer in chat applications permissions to an IAM identity ](#ChatbotCompleteRoleExample) + [ ## Allowing users to view their permissions ](#security_iam_id-based-policy-examples-view-own-permissions) ## Identity-based policies for Amazon Q Developer in chat applications By default, IAM users, groups, and roles don't have permission to create or modify Amazon Q Developer resources. They also can't perform tasks using the AWS Management Console or AWS Command Line Interface (AWS CLI). An IAM administrator can create IAM identity-based policies that grant entities permission to perform specific console and CLI operations on the resources that they need. The administrator attaches those policies to the IAM entities that require those permissions. **Note** In an identity-based policy, you don't specify the principal who gets the permission (the `Principal` element) because the policy gets attached to the entity that needs to use it. To learn about all of the elements that you use in a policy, see [IAM JSON Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*. For information about the specific IAM JSON policy elements that Amazon Q Developer in chat applications supports, see [Actions, Resources, and Condition Keys for Amazon Q Developer in chat applications](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awschatbot.html#awschatbot-policy-keys) in the *IAM User Guide*. ### Amazon Q Developer in chat applications actions for identity-based policies Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**. The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Include actions in a policy to grant permissions to perform the associated operation. Actions in an Amazon Q Developer policy use the following prefix before the action. `"Action": [` ` "chatbot:"` ` ]` For example, to grant a user permission to view the list of all Slack channels using the `DescribeSlackChannels` operation, you include the `chatbot:DescribeSlackChannels` action in the user's policy. Policy statements must include either an `Action` or `NotAction` element. Amazon Q Developer defines its own set of actions that describe tasks that you can perform with this service. To see the list of Amazon Q Developer actions, see [Actions, Resources, and Condition Keys for AWS Chatbot](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awschatbot.html) in the *IAM User Guide.* To specify multiple actions in a single statement, separate them with commas. `"Action": [` ` "chatbot:DescribeSlackChannels",` ` "chatbot:DescribeSlackWorkspaces"` ` ]` **Important** Although you can specify multiple actions of like type in a policy using wildcards (\$1), we strongly discourage doing so. Follow the practice of granting least privileges and narrowing the permissions necessary for a user to perform their work. ## Identity-based policy best practices Identity-based policies determine whether someone can create, access, or delete Amazon Q Developer resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations: + **Get started with AWS managed policies and move toward least-privilege permissions** – To get started granting permissions to your users and workloads, use the *AWS managed policies* that grant permissions for many common use cases. They are available in your AWS account. We recommend that you reduce permissions further by defining AWS customer managed policies that are specific to your use cases. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) or [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*. + **Apply least-privilege permissions** – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as *least-privilege permissions*. For more information about using IAM to apply permissions, see [ Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*. + **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*. + **Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions** – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see [Validate policies with IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*. + **Require multi-factor authentication (MFA)** – If you have a scenario that requires IAM users or a root user in your AWS account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see [ Secure API access with MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) in the *IAM User Guide*. For more information about best practices in IAM, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*. ## Applying Amazon Q Developer in chat applications permissions to an IAM identity The following example of an Amazon Q Developer in chat applications identity-based policy controls all aspects of Slack chat room configuration. It grants full read-only permissions to Amazon CloudWatch and Amazon CloudWatch Logs, and Amazon Simple Notification Service (Amazon SNS) topics. It enables Slack chat room configuration through both the Amazon Q Developer in chat applications console and CLI actions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllChatbotPermissions", "Action": [ "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "logs:Get*", "logs:List*", "logs:Describe*", "logs:TestMetricFilter", "logs:FilterLogEvents", "sns:Get*", "sns:List*" ], "Effect": "Allow", "Resource": "*" }, { "Sid": "AllSlackPermissions", "Effect": "Allow", "Action": [ "chatbot:Describe*", "chatbot:UpdateSlackChannelConfiguration", "chatbot:CreateSlackChannelConfiguration", "chatbot:DeleteSlackChannelConfiguration" ], "Resource": "*" } ] } ``` ------ In this example, `"Resource": "*"` refers to all applicable Slack resources. You attach the policy to an IAM user, group, or role who needs access to all Slack resources. ## Allowing users to view their permissions This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "ViewOwnUserInfo", "Effect": "Allow", "Action": [ "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:GetUser" ], "Resource": ["arn:aws:iam::*:user/${aws:username}"] }, { "Sid": "NavigateInConsole", "Effect": "Allow", "Action": [ "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies", "iam:ListPolicyVersions", "iam:ListPolicies", "iam:ListUsers" ], "Resource": "*" } ] } ``` # IAM resource-level permissions for Amazon Q Developer IAM resource-level permissions for Amazon Q Developer in chat applications *Resource-level permissions* define the AWS resources on which you allow assigned entities (users, groups, and roles) to perform actions. You specify the Amazon Resource Name (ARN) of one or more resources as part of an IAM policy, which you can then attach to IAM entities. **Note** Amazon Q Developer in chat applications doesn't support* resource-based policies*, which are directly attached to AWS resources. For more information about the differences between policies and permissions, see [Identity-Based Policies and Resource-Based Policies ](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html)in the *IAM User Guide*. For more information about the differences between IAM policies and permissions, see [Identity-Based Policies and Resource-Based Policies ](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html)in the *IAM User Guide*. The following sections describe how resource-level permissions work with Amazon Q Developer in chat applications. **Topics** + [ ## Using the Amazon Q Developer in chat applications resource in a policy ](#security_iam_resource-description) + [ ## Example: Amazon Q Developer in chat applications resource-level permission ](#security_iam_resource-based-policy-examples) ## Using the Amazon Q Developer in chat applications resource in a policy You can set up an IAM policy that defines *who* (users, groups and roles) can perform actions on Amazon Q Developer in chat applications resources. The policy uses *resource-level permissions* to determine *which* Amazon Q Developer in chat applications resources that users of the IAM policy can work with. The policy also defines *how* they can work with them (through Actions and Conditions). When creating an IAM policy, you refer to the **chat-configuration** resource by its Amazon Resource Name (ARN). An Amazon Q Developer in chat applications resource ARN consists of three objects: + A list of one or more Amazon Simple Notification Service (Amazon SNS) topic ARNs for the topics to be associated with the configuration. + The ARN of the customer's IAM role. Amazon Q Developer in chat applications assumes the IAM role in the customer's account and makes API calls to other AWS services to get necessary information. For example, for an Amazon CloudWatch alarm notification, Amazon Q Developer in chat applications requires the metric graphic image displayed with the CloudWatch alarm notification. For that, Amazon Q Developer in chat applications calls a CloudWatch API with the customer's credentials. + An Amazon Chime webhook URL or Slack channel ID/Slack workspace ID. When creating a resource-level permission for a chatbot configuration, in the JSON both Slack channels and Amazon Chime webhooks are considered a *chat-configuration*. The chat-configuration uses a following ARN field to distinguish between a Slack channel and a Amazon Chime webhook. The `configuration-name` field is the name for the Slack channel or Amazon Chime webhook that is defined in the Amazon Q Developer in chat applications console. The Amazon Q Developer in chat applications resource ARN has the following format: `arn:${partition}:chatbot::${account-id}:chat-configuration/slack-channel/${configuration-name}` Or: `arn:${partition}:chatbot::${account-id}:chat-configuration/chime-webhook/${configuration-name}` For example: `arn:aws:chatbot::123456789021:chat-configuration/slack-channel/devops_channel_01` Or: `arn:aws:chatbot::123456789021:chat-configuration/chime-webhook/devops_webhook_IT_team_space` **Note** When you create the permissions, ensure that any Actions apply to the correct configuration type. ## Example: Amazon Q Developer in chat applications resource-level permission You can use resource-based permissions to allow or deny access to one or more Amazon Q Developer in chat applications resources in an IAM policy, or to all Amazon Q Developer in chat applications resources. To add a resource-level permission to a policy, include the channel's ARN in a new `Resource` statement. The following example is based on the identity-based policy in [Amazon Q Developer Identity-Based Policies](security_iam_service-with-iam-id-based-policies.md). It shows examples for both `slack-channel` and `chime-webhook` resources. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "logs:Get*", "logs:List*", "logs:Describe*", "logs:TestMetricFilter", "logs:FilterLogEvents", "sns:Get*", "sns:List*" ], "Effect": "Allow", "Resource": "*" }, { "Sid": "AllSlackPermissions", "Effect": "Allow", "Action": [ "chatbot:Describe*", "chatbot:UpdateSlackChannelConfiguration", "chatbot:CreateSlackChannelConfiguration", "chatbot:DeleteSlackChannelConfiguration", "chatbot:CreateChimeWebhookConfiguration", "chatbot:UpdateChimeWebhookConfiguration" ], "Resource": "arn:aws:chatbot::123456789021:chat-configuration/chime-webhook/devops_aws_chime_webhook1" } ] } ``` ------ You attach the policy to the IAM entity that needs it. The associated users can create, edit, view and delete the resource's Slack chat channels, workspaces and associated SNS topics, and create and edit Amazon Chime webhooks. # Using Service-Linked Roles for Amazon Q Developer in chat applications Using Service-Linked Roles A [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) is a type of IAM role that links directly to an AWS service. It gives AWS services the permissions to access resources in other services to complete actions on your behalf. For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service-Linked Role** column. Choose any **Yes** entry with a link to view the service-linked role documentation for that service. When you create an Amazon Q Developer in chat applications resource in the Amazon Q Developer in chat applications console, you can also choose to provide a list of one or more SNS topics to associate with the new resource. Amazon Q Developer in chat applications automatically uses the **AWSServiceRoleForAWSChatbot** service-linked role to add or remove subscriptions to the Amazon Q Developer in chat applications global Amazon SNS subscription endpoint. The service-linked role makes setting up Amazon Q Developer in chat applications easier because you don’t have to manually add the necessary permissions. Amazon Q Developer in chat applications defines the permissions for the service-linked role and only Amazon Q Developer in chat applications can assume that role. The permissions include a trust policy and a permissions policy, which apply only to the Amazon Q Developer in chat applications service. **Topics** + [ # Amazon Q Developer in chat applications Service-linked role for performing operations on Amazon SNS topics and CloudWatch Logs ](slr-permissions.md) # Amazon Q Developer in chat applications Service-linked role for performing operations on Amazon SNS topics and CloudWatch Logs Service-linked role for performing operations on Amazon SNS topics and CloudWatch Logs Amazon Q Developer uses the service-linked role named **AWSServiceRoleForAWSChatbot**. This is a managed IAM policy with scoped permissions that Amazon Q Developer in chat applications needs to run in customers’ accounts. ## Service-Linked Role Permissions for Amazon Q Developer The Amazon Q Developer in chat applications service-linked role gives permissions for the following services and resources: + Amazon SNS notifications + CloudWatch Logs These permissions allow Amazon Q Developer in chat applications to perform operations on Amazon SNS topics and CloudWatch Logs. Administrators can view, but can't edit, the permissions for the Amazon Q Developer in chat applications service-linked role. The **AWSServiceRoleForAWSChatbot** service-linked role provides trust permissions to the following service to assume its role: + `management.chatbot.amazonaws.com` You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*. When you create an Amazon Q Developer in chat applications configuration, it creates the following policy for the service-linked role: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "sns:ListSubscriptionsByTopic", "sns:ListTopics", "sns:Unsubscribe", "sns:Subscribe", "sns:ListSubscriptions" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:PutLogEvents", "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:CreateLogGroup", "logs:DescribeLogGroups" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/chatbot/*" } ] } ``` ------ You don't need to take any action to support this role beyond using the Amazon Q Developer in chat applications service. ## Enabling the service-linked role for Amazon Q Developer When you configure Amazon Q Developer in chat applications for the first time, you configure a Microsoft Teams channel, a Slack channel, or Amazon Chime webhook to work with Amazon Simple Notification Service (Amazon SNS) topics for forwarding notifications to chat rooms. When you create the first resource, Amazon Q Developer in chat applications automatically creates the IAM service-linked role, which can be seen in the IAM console. You don't need to manually create or configure this role. ## Editing a service-linked role for Amazon Q Developer You can't edit the **AWSServiceRoleForAWSChatbot** service-linked role. You also can't change its name, because other entities might reference it. You can edit the role's description using the IAM console. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*. ## Manually deleting the AWSServiceRoleForAWSChatbot service-linked role Under specific circumstances, you can manually delete the **AWSServiceRoleForAWSChatbot** service-linked role. If you no longer need to use any feature or service that requires a service-linked role, we recommend that you delete that role. Doing so prevents having an unused entity that is not actively maintained in your account. To delete the Amazon Q Developer in chat applications service-linked role, you must delete all Amazon Q Developer in chat applications resources in your AWS account, including all Slack channels and Amazon Chime webhooks. You can delete all Amazon Q Developer in chat applications resources using the Amazon Q Developer in chat applications console, and then use the IAM console or AWS Command Line Interface (AWS CLI) to delete the service-linked role. **Note** If Amazon Q Developer is using the **AWSServiceRoleForAWSChatbot** service-linked role when you try to delete its resources, the deletion might fail. If that happens, wait a few minutes and try deleting it again. **To delete Amazon Q Developer in chat applications resources** 1. [Open the Amazon Q Developer in chat applications console](https://us-east-2.console.aws.amazon.com/chatbot/home?region=us-east-2#/chat-clients). 1. To remove Amazon Chime webhook configurations, do the following: 1. Choose **Amazon Chime**. 1. Choose each webhook that you need to delete and choose **Delete webhook**. You can delete one at a time. 1. Choose **Delete** to confirm the deletion. 1. Repeat these steps to delete all webhook configurations. 1. To remove Slack channel configurations, do the following: 1. Choose **Slack**. 1. Choose the channel that you need to delete and choose **Delete channel**. 1. Choose **Delete** to confirm the deletion. 1. Repeat these steps to delete all Slack channel configurations. **Note** If you delete the Amazon Q Developer in chat applications service-linked role, and then need to use it again, simply open the Amazon Q Developer in chat applications console and create a new Slack channel or Amazon Chime webhook resource to recreate the role in your account. When you create the first new resource in Amazon Q Developer, it creates the service-linked role for you again. 1. To delete the **AWSServiceRoleForAWSChatbot** service-linked role, use the IAM console or the AWS Command Line Interface (AWS CLI) . For information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*. ## Supported regions for Amazon Q Developer service-linked roles AWSServiceRoleForAWSChatbot doesn't support using service-linked roles in every AWS Region where the service is available. The following table shows the Regions where you can use the **AWSServiceRoleForAWSChatbot**. **** | Region Name | Region Identity | Supported in Amazon Q Developer | | --- | --- | --- | | US East (N. Virginia) | us-east-1 | Yes | | US East (Ohio) | us-east-2 | Yes | | US West (N. California) | us-west-1 | Yes | | US West (Oregon) | us-west-2 | Yes | | Asia Pacific (Mumbai) | ap-south-1 | Yes | | Asia Pacific (Osaka) | ap-northeast-3 | Yes | | Asia Pacific (Seoul) | ap-northeast-2 | Yes | | Asia Pacific (Singapore) | ap-southeast-1 | Yes | | Asia Pacific (Sydney) | ap-southeast-2 | Yes | | Asia Pacific (Tokyo) | ap-northeast-1 | Yes | | Canada (Central) | ca-central-1 | Yes | | Europe (Frankfurt) | eu-central-1 | Yes | | Europe (Ireland) | eu-west-1 | Yes | | Europe (London) | eu-west-2 | Yes | | Europe (Paris) | eu-west-3 | Yes | | South America (São Paulo) | sa-east-1 | Yes | | AWS GovCloud (US) | us-gov-west-1 | No | # Troubleshooting Amazon Q Developer in chat applications identity and access Troubleshooting Use the following information to help you diagnose and fix common issues that you might encounter when working with Amazon Q Developer and IAM. **Topics** + [ ## I'm not authorized to perform an action using Amazon Q Developer in chat applications ](#security_iam_troubleshoot-no-permissions) + [ ## I'm not authorized to perform iam:PassRole ](#security_iam_troubleshoot-passrole) + [ ## I want to allow people outside of my AWS account to access my Amazon Q Developer resources ](#security_iam_troubleshoot-cross-account-access) ## I'm not authorized to perform an action using Amazon Q Developer in chat applications If the AWS Management Console tells you that you're not authorized to perform an action, then you must contact your administrator for assistance. Your administrator is the person that provided you with your user name and password. The following example error occurs when the `mateojackson` IAM user tries to use the console to view details about a *widget* but does not have `chatbot::GetWidget` permissions. ``` User: arn:aws:iam::123456789012:user/mateojackson is not authorized to perform: chatbot::GetWidget on resource: my-example-widget ``` In this case, Mateo asks his administrator to update his policies to allow him to access the `my-example-widget` resource using the `chatbot::GetWidget` action. ## I'm not authorized to perform iam:PassRole If you receive an error that you're not authorized to perform the `iam:PassRole` action, your policies must be updated to allow you to pass a role to Amazon Q Developer. Some AWS services allow you to pass an existing role to that service instead of creating a new service role or service-linked role. To do this, you must have permissions to pass the role to the service. The following example error occurs when an IAM user named `marymajor` tries to use the console to perform an action in Amazon Q Developer. However, the action requires the service to have permissions that are granted by a service role. Mary does not have permissions to pass the role to the service. ``` User: arn:aws:iam::123456789012:user/marymajor is not authorized to perform: iam:PassRole ``` In this case, Mary's policies must be updated to allow her to perform the `iam:PassRole` action. If you need help, contact your AWS administrator. Your administrator is the person who provided you with your sign-in credentials. ## I want to allow people outside of my AWS account to access my Amazon Q Developer resources You can create a role that users in other accounts or people outside of your organization can use to access your resources. You can specify who is trusted to assume the role. For services that support resource-based policies or access control lists (ACLs), you can use those policies to grant people access to your resources. To learn more, consult the following: + To learn whether Amazon Q Developer supports these features, see [How Amazon Q Developer in chat applications works with IAM](security-iam.md#security_iam_service-with-iam). + To learn how to provide access to your resources across AWS accounts that you own, see [Providing access to an IAM user in another AWS account that you own](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html) in the *IAM User Guide*. + To learn how to provide access to your resources to third-party AWS accounts, see [Providing access to AWS accounts owned by third parties](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html) in the *IAM User Guide*. + To learn how to provide access through identity federation, see [Providing access to externally authenticated users (identity federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html) in the *IAM User Guide*. + To learn the difference between using roles and resource-based policies for cross-account access, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.