Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

User is not authorized to call ChatSync API of Q Business app

0

I created a Q business application. The Q application uses IAM Identity Center for authentication, and I don't have any external idp linked. When I use the access key and secret key associated with my IAM user (IAM user has all permissions to qbusiness actions) to call boto3.chat_sync(), it throws User is not authorized for this service call. error. Does anyone know how to resolve the issue? I tried the following:

session = boto3.session.Session(
        aws_access_key_id=<access key id>,
        aws_secret_access_key=<secret key>,
        region_name=<region>
    )

# Create a client for the specified service
client = session.client("qbusiness")
response = client.chat_sync(applicationId=<application id>, userMessage='Who are you?')

It seems like I can't use the the access key and secret key associated with the IAM user to make the api call. Instead I need to create a new "User" in the IAM Identity Center and give the user access to the Q Business app. The new user in the IAM Identity Center can't be linked to a IAM user, how can I get the access key of the new user created in the IAM Identity Center? My account is not an organization account.

Thank you in advance.

Topics
Machine Learning & AIBusiness ApplicationsSecurity, Identity, & Compliance
Tags
AWS IAM Identity CenterAmazon Q Business
Language
English
asked 9 months ago278 views
1 Answer
0

The issue you're experiencing is related to how Amazon Q Business handles authentication for API calls, particularly for the ChatSync operation. When using IAM Identity Center for authentication with Amazon Q Business, you cannot use standard IAM user credentials (access key and secret key) to make API calls like ChatSync.

Instead, Amazon Q Business requires identity-aware AWS Sig V4 credentials for the authenticated user. This means you need to obtain temporary credentials that are associated with the specific user's identity in IAM Identity Center.

To resolve this issue:

  1. You're correct that you need to create a user in IAM Identity Center and give them access to the Q Business application.

  2. However, you cannot directly get an access key for users created in IAM Identity Center. Instead, you need to use a process to obtain temporary, identity-aware credentials.

  3. The process typically involves:

    • Authenticating the user through IAM Identity Center
    • Obtaining a token that represents the user's identity
    • Using this token to assume an IAM role that has the necessary permissions for Amazon Q Business
    • Using the temporary credentials from the assumed role to make the API call

  4. If you're not using an external IdP, you might need to use the AWS SSO OIDC endpoints to obtain the necessary tokens and credentials.

  5. Once you have the temporary credentials, you would use them to create your boto3 session instead of using static IAM user credentials.

  6. It's also worth noting that you may need to run the ChatSync operation twice the first time for a particular user. The first call might fail with an AccessDeniedException, but it should automatically subscribe the user to the Amazon Q Business application. The second call should then succeed.

Given that your account is not an organization account, you might face some limitations in setting this up. You may need to consider upgrading to an organization account or exploring alternative authentication methods that Amazon Q Business supports for your specific setup.

If you continue to face issues, it would be advisable to contact AWS Support for guidance tailored to your specific account configuration and requirements.
Sources
Implement secure API access to your Amazon Q Business applications with IAM federation user access management | AWS Machine Learning Blog
Making authenticated Amazon Q Business API calls using IAM federation - Amazon Q Business
Amazon Q Business chat-sync CLI command always failing | AWS re:Post

answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content