By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Amazon Q Business ChatSync API - IAM User Not Authorized Despite Full Access Policy

0

Hi everyone,

I'm currently working with the Amazon Q Business APIs using IAM user credentials. Most APIs like chatControls, plugins, etc., are working as expected. However, I'm encountering an issue with the ChatSync API — it returns the following error:

"User is not authorized for this service call"

My IAM user has the following policy attached, which provides full access to Amazon Q Business:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": "qbusiness:*",
      "Resource": "*"
    }
  ]
}

Despite this, I'm still receiving the authorization error only for the ChatSync API.

Here is the curl request I'm using for the ChatSync API:

curl --location 'https://qbusiness.us-east-1.api.aws/applications/4-my-application-id/conversations?sync' \
--header 'Content-Type: application/json' \
--header 'X-Amz-Content-Sha256: beaeadyyyyyba3' \
--header 'X-Amz-Date: 20250423T052305Z' \
--header 'Authorization: AWS4-HMAC-SHA256 Credential=AKyyI/20250423/us-east-1/qbusiness/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-content-sha256;x-amz-date, Signature=f6yyy0' \
--data '{
  "userMessage": "Tell me about Amazon Q Business API"
}'

Given that other APIs work and this specific one doesn't, I’m wondering:

Is there a different permission required specifically for the ChatSync API?

Could there be a service control policy (SCP), organization policy, or something else that might be blocking it?

Am I missing anything in the request structure itself?

Any insights or guidance would be greatly appreciated.

Thanks in advance!

Topics
Security, Identity, & ComplianceMachine Learning & AIBusiness Applications
Tags
AWS Identity and Access ManagementIAM PoliciesAmazon Q BusinessAmazon Q
Language
English
sudheer
asked 21 days ago34 views
1 Answer
0

Hello,

ChatSync has different permissions compared to GetChatControlsConfiguration, GetPlugins... you need to make use of an identity-aware session while calling the API. You can find guidance in a previous re:Post that was answered here: https://repost.aws/questions/QUqqemQYRpRUqxqxEBzR-jVQ/amazon-q-business-chat-sync-cli-command-always-failing

TL;DR (extracted from the re:Post above):

  • You would need an idToken provided by your SSO Identity Provider (IdP).
  • Using that token, you exchange for an identity-aware token from IAM Identity Center (IdC) whom you need to configure to treat your IdP as a trusted token issuer (TTI).
  • And using this IdC token, you assume an IAM role, hence obtaining temporary identity-aware session credentials.
  • Finally, with these temporary credentials, you call the chat-sync API (without specifying UserId because it is implicit in the session credentials).
AWS
irenemarb
answered 19 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content