Configuring AWS Directory Service as an identity source for Amazon Q Developer transformation

Situation

As customers and partners explore Amazon Q Developer's transformation capabilities, they must consider how to authenticate users. Many enterprises using AWS already have federation configured, but many other customers are unfamiliar with the process and need guidance.

Here are a few reasons why you might choose to federate with AWS Managed Microsoft AD:

• You already use AWS Managed Microsoft AD and want to use it to grant access to Q Developer's transformation capabilities
• You are standing up multiple Q Developer environments and want to manage user accounts in a single location
• You performed a small scale test on Amazon Q Developer with accounts managed by the default Identity Center directory, and now want to switch to a federated model
• You are running a pilot that is required by security policy to be separate from your corporate infrastructure, but you need Microsoft AD
• You want a simple way to federate, fully integrated into the Amazon console

Task

• Deploy AWS Managed Microsoft AD
• Configure federation in AWS IAM Identity Center

Action

The following services require configuration:

• AWS Directory Service
• Amazon IAM Identity Service
• Amazon Q

AWS Directory Service

1. Deploy a new managed Active Directory from AWS Directory Service

   

2. Select an Edition and give the directory a DNS name

   

3. Enter an optional NETBIOS name and description, then enter the password for the Admin account

   

4. Select a VPC and subnets

   

5. Choose Create directory

   

6. Create an EC2 instance to manage the new directory

   A Windows EC2 instance is required to manage the directory. You can launch a new EC2 instance in the usual way, or use the simplified launch workflow as shown.

   

7. Add users to Active Directory

   Here, I created two groups: QT_Admins and QT_Users. Then, I added a few administrative and standard user accounts and added them to the appropriate group.

   

Amazon IAM Identity Service

This section assumes you have already set up the Amazon IAM Identity Service with the default Identity Center directory. You will convert from Identity Center Directory to Active Directory. The process for setting it up new is essentially the same.

1. From IAM Identity Center, select Confirm identity source.

   

2. In the Actions menu, select Change identity source

   

3. Choose Active Directory

   

4. Select the directory that you created in the prior section

   

5. Confirm the change

   

   IAM Identity center will reconfigure itself for federation.

   

6. When the change is complete, select Start guided setup

1. All of the attributes are already populated for you. Choose Next

   

2. Configure directory sync scope

   We recommend configuring a sync scope to populate the directory with only the specific users you require for Amazon Q. In this example, we added QT_Admins and QT_Users from the lab.local directory service that we created previously.

   

3. Save configuration

   

4. Resume sync

   If the sync shows as paused, choose Resume sync

   

5. Verify synchronized users appear in the Users section

   

Amazon Q

1. In the Amazon Q subscriptions area, choose Subscribe, then Get Started

   

2. Find and select all of the groups you want to subscribe to Amazon Q

   

3. Choose Assign

   

Results

Users can now sign in to Amazon Q Transform with their Active Directory credentials

For more information on working with Amazon Q Transformation for VMware, access the Getting started with Amazon Q Developer transformation capabilities for VMware blog.