Why do I receive a "Permissions needed. 403 Forbidden" error when I access my Amazon Q Business web experience?

Resolution

The 403 Forbidden error can occur for the following reasons:

• The subscription that you assigned to your user or group isn't active.
• Your AWS Identity and Access Management (IAM) role doesn't have the correct permissions for the web experience.

Check user subscription status

Complete the following steps:

1. Open the Amazon Q Business console.
2. In the navigation pane, choose Applications, and then select the name of your application.
3. On the Application details page, under User access, choose Manage user access.
4. Choose the Groups and Users tab.
5. Find your user and check that the subscription status is Active.
   Note: If your user isn't listed, then add your user to your AWS IAM Identity Center instance and grant the user access to Amazon Q Business.
6. If your user doesn't have an active subscription, then choose Add groups and users.
7. In the Confirm subscription change window, select the subscription level, and then choose Done.
8. From the user account, relaunch the web experience.

Add a user to your IAM Identity Center instance and grant access to Amazon Q Business

You must have permissions to access your IAM Identity Center instance. If you're using Amazon Q Business in a member account, then the IAM Identity Center instance might be in a different organization in AWS Organizations. You must have access to the organization to add an Amazon Q Business subscription.

To add a user, complete the following steps:

1. Open the IAM Identity Center console.
2. In the navigation pane, choose Groups, and then select your group name.
3. Choose Add users to group, and then select the user.
   Note: If no users are available to add, then you must add users to your Identity Center directory.

Note: It can take up to 24 hours for your change to take effect.

Check that your web experience IAM role has the correct permissions

Complete the following steps:

1. Open the Amazon Q Business console.
2. In the navigation pane, choose Applications, and then select the name of your application.
3. On the Application details page, under Web experience settings, note the web experience role name.
4. Open the IAM console.
5. In the navigation pane, choose Roles.
6. Enter your role name in the search bar, and then select your role.
7. If you configured your application with IAM Identity Center, then confirm that your role includes the required permissions and trust policies for the web experience.
   -or-
   If you configured your application with IAM Federation, then confirm that your role includes the required permissions and trust policies for the web experience.
8. Relaunch the web experience.