By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Access denied when calling Amazon Q business BatchPutDocument API. Please check your data source IAM role.

0

Hi, I am trying out Amazon Q and using the Q retriever. I have successfully added a S3 bucket as the data source. As I try to sync the files in the S3, I received error: "Access denied when calling Amazon Q business BatchPutDocument API. Please check your data source IAM role."

The IAM role for data source it is using has the following permissions policies. What else can be missing? Please advise.

  • AmazonKendraFullAccess
  • AmazonS3FullAccess

Trusted Entities:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "lambda.amazonaws.com", "kendra.amazonaws.com", "qbusiness.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }

Topics
Security, Identity, & ComplianceMachine Learning & AI
Tags
AWS Identity and Access ManagementAmazon KendraAmazon Q
Language
English
rePost-User-2111766
asked 2 months ago418 views
2 Answers
1
Accepted Answer

Hi there!

Since you are using the native Q retriever you will need to allow BatchPutDocument on your Q index, like below:

    {
      "Sid": "AllowsAmazonQToIngestDocuments",
      "Effect": "Allow",
      "Action": [
        "qbusiness:BatchPutDocument",
        "qbusiness:BatchDeleteDocument"
      ],
      "Resource": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/index/{{index_id}}"
    },

You can check out the full IAM permission needed in the docs at https://docs.aws.amazon.com/amazonq/latest/business-use-dg/create-s3-datasource-iam-role.html as you will also have to add permissions for the Principal Store APIs in addition to the above and access to your S3 bucket. There are also examples for other configurations.

AWS
Gillian
answered 2 months ago
0

Since the error is pointing to BatchPutDocument API, I followed this https://docs.aws.amazon.com/kendra/latest/dg/iam-roles.html

Here is the policy I added to the role. However, I am still getting the same error. Thanks for your pointers. { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::xxxx/" ], "Effect": "Allow" }, { "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::xxxx" ], "Effect": "Allow" }, { "Effect": "Allow", "Action": [ "kendra:BatchPutDocument", "kendra:BatchDeleteDocument" ], "Resource": [ "arn:aws:kendra:us-east-2:12345678:index/" ] } ] }

rePost-User-2111766
answered 2 months ago
  • Gillian
    a month ago

    If you are using the native Q retriever you need to provide permissions for qbusiness:BatchPutDocument rather than kendra:BatchPutDocument. The link in the answer gives the full details of the permissions needed.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content