Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

QBusiness Anonymous user - getting 403 forbidden error - asking for aws account for accessing URL of the chatbot

0

Instructions I Followed to Set Up Amazon Q Business with Anonymous Access

I've been trying to set up an Amazon Q Business chatbot with anonymous access. Here are the steps I've followed and the issues I've encountered:

Steps Taken:

  1. Created an Amazon Q Business application with anonymous access:

    aws qbusiness create-application
    --description "Public chatbot application with anonymous access"
    --role-arn "arn:aws:iam::<account-number>:role/AmazonQBusinessAnonymousAccessRole"
    --display-name "PublicChatbot"
    --identity-type "ANONYMOUS"

  2. Created an IAM role (AmazonQBusinessAnonymousAccessRole) with the necessary permissions:

    aws iam create-role
    --role-name AmazonQBusinessAnonymousAccessRole
    --assume-role-policy-document "{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"qbusiness.amazonaws.com"},"Action":"sts:AssumeRole"}]}"

  3. Created and attached a policy to the role:

    aws iam create-policy
    --policy-name AmazonQBusinessAnonymousAccess
    --policy-document "{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["qbusiness:"],"Resource":""}]}"

    aws iam attach-role-policy
    --role-name AmazonQBusinessAnonymousAccessRole
    --policy-arn "arn:aws:iam::<account_number>:policy/AmazonQBusinessAnonymousAccess"

  4. Created a web experience for the application:

    aws qbusiness create-web-experience
    --origins ["https://example.com", "http://localhost:3000"]
    --sample-prompts-control-mode "ENABLED"
    --welcome-message "Welcome to our public chatbot!"
    --role-arn "arn:aws:iam::<account_number>:role/AmazonQBusinessAnonymousAccessRole"
    --title "Public Chatbot"
    --application-id "<application_id>"

  5. Received a URL like https://tevgwwht.chat.qbusiness.us-east-1.on.aws/

Instructions Followed in AWS Management Console

Step 1: Create an Amazon Q Business Application

  1. Logged into the AWS Management Console
  2. Navigated to the Amazon Q Business service
  3. Clicked "Create application"
  4. Filled in the following details: • Display name: "PublicChatbot" • Description: "Public chatbot application with anonymous access" • Identity type: Selected "ANONYMOUS" from the dropdown • IAM Role: Selected "AmazonQBusinessAnonymousAccessRole"
  5. Clicked "Create application"

Step 2: Configure IAM Role Permissions

  1. Navigated to IAM in the AWS Management Console
  2. Selected "Roles" from the left navigation
  3. Located or created "AmazonQBusinessAnonymousAccessRole"
  4. Added the following policies to the role: • AmazonQBusinessFullAccess • Created a custom policy named "AmazonQBusinessAnonymousAccess" with full qbusiness:* permissions

Step 3: Create a Web Experience

  1. Returned to the Amazon Q Business console
  2. Selected the newly created application
  3. Clicked on "Web experiences" tab
  4. Clicked "Create web experience"
  5. Configured the following settings: • Title: "Public Chatbot" • Welcome message: "Welcome to our public chatbot!" • Sample prompts: Enabled • Origins: Added multiple origins including example.com and localhost:3000 • Role ARN: Selected the AmazonQBusinessAnonymousAccessRole
  6. Clicked "Create"

Step 4: Attempted to Access the Generated URL

  1. Copied the generated URL (https://tevgwwht.chat.qbusiness.us-east-1.on.aws/)
  2. Tried accessing it in a browser
  3. Encountered 403 Forbidden error
  4. The URL redirects to a path containing "code=invalid_code" in the URL
  5. Final URL looks like: https://tevgwwht.chat.qbusiness.us-east-1.on.aws/error?code=invalid-code#/

Step 5: Troubleshooting Attempts

  1. Tried accessing in incognito/private browsing mode
  2. Updated web experience settings with different origins
  3. Deleted and recreated the web experience
  4. Verified IAM permissions were correct
  5. Created HTML files to embed the chatbot via iframe

Despite following all these steps correctly according to AWS documentation, the URL continues to return a 403 Forbidden error, preventing client access for testing.

Issues Encountered:

  1. The URL consistently returns a 403 Forbidden error with an "invalid-code" message
  2. Tried accessing in incognito/private browsing windows - same error
  3. Tried updating the web experience with different origin settings - no change
  4. Created HTML files to embed the chatbot via iframe - still getting 403 errors
  5. Deleted and recreated the web experience multiple times - same issue
  6. Verified IAM permissions are correct - still not working
  7. AWS documentation states anonymous access should make it publicly accessible, but this isn't working in practice

What I Need:

I need a solution to make my Amazon Q Business chatbot truly accessible for client testing. The preview URL works within AWS Console but not for external users. I've tried multiple approaches as documented above but continue to encounter 403 errors.

Has anyone successfully deployed an Amazon Q Business chatbot with anonymous access that's truly accessible to the public? What specific configuration am I missing? Is there any other way that they can access the application without logging in as user?

Topics
Management & GovernanceBusiness ApplicationsMachine Learning & AISecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementIAM PoliciesAWS Management ConsoleMachine Learning & AIAmazon Q Business
Language
English
asked 9 months ago172 views
2 Answers
0

Based on the information provided and the steps you've taken, it appears you've encountered a common issue with setting up anonymous access for Amazon Q Business. Here's what might be happening and some potential solutions:

  1. IAM Role Permissions: While you've created an IAM role with the necessary permissions, there might be a slight mismatch in the required permissions. The role should have specific permissions for Amazon Q Business actions, not just a blanket "qbusiness:*" permission. You may need to refine the policy to include specific actions like "qbusiness:ChatSync" and "qbusiness:GetApplication".

  2. Web Experience Configuration: The web experience configuration is crucial for anonymous access. Make sure that the origins you've specified in the create-web-experience command match exactly with the domains from which you're trying to access the chatbot. If you're testing locally, ensure "http://localhost:3000" is included.

  3. CORS (Cross-Origin Resource Sharing) Settings: The 403 error could be related to CORS issues. Ensure that your web experience configuration includes the correct CORS settings for your domains.

  4. Application Settings: Double-check that your application is indeed set up for anonymous access. You can verify this in the Amazon Q Business console under the application details.

  5. Region Consistency: Ensure that you're accessing the chatbot URL from the same region where you created the application and web experience.

  6. Caching Issues: Sometimes, changes to IAM roles and policies can take some time to propagate. Try waiting for a short period (15-30 minutes) and then attempt to access the chatbot again.

  7. Trust Relationship: Verify that the trust relationship for your IAM role includes the qbusiness.amazonaws.com service.

To troubleshoot further:

  1. Review the CloudWatch logs for your Amazon Q Business application to see if there are any specific error messages that might provide more insight.

  2. Try creating a minimal test HTML page that only includes the chatbot iframe and nothing else, to isolate any potential issues with your web page.

  3. Use the AWS CLI to describe your application and web experience, ensuring all settings are as expected.

  4. If possible, try setting up the anonymous access in a different AWS account to see if the issue persists, which could help isolate whether it's an account-specific problem.

If after trying these steps you're still encountering issues, it may be worth reaching out to AWS Support for further assistance, as there could be a service-specific issue or limitation that's not immediately apparent.
Sources
Resolve Amazon Q Business 403 permissions error | AWS re:Post
Amazon Q Web Experience - Permission Needed | AWS re:Post
Troubleshooting Amazon Q Business identity and access - Amazon Q Business

answered 9 months ago
0

Hello.

I tried enabling anonymous access for Amazon Q Business on my AWS account using the instructions in the following document, and was able to access it successfully.
There should be no difference from the settings you made.
Does the problem occur if you change your browser, PC or network?
https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-anonymous-application.html

There may be some restrictions in place on your AWS account, so I recommend that you open a case with AWS Support under "Account and billing".
"Account and billing" inquiries are free of charge.
https://docs.aws.amazon.com/awssupport/latest/user/case-management.html

EXPERT
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content