By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Amazon Q Web Experience - Permission Needed

0

I have recently created an Amazon Q Business Application and have ran into some interesting issues.

The first issue was I had to use the CLI to create the web experience. Once I did it through the CLI, I was able to update the web experience via the console. The next issue was that we have setup IAM Identity Center at our root account vs in the account we have the Amazon Q application deployed. During the initial setup, it did find the proper IAM Identity Center ID and seemed to tie successfully to the root IAM Identity Provider. I did allow permissions from the root account so that I could add myself as a user. After I was done editing and setting up permissions via the Console, I attempted to go to the web experience URI. When doing so, I am presented with a 403 error stating, "Permission needed." I attempted to follow https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/idp-troubleshooting.html, but since the initial setup created the Application in IAM Identity Center, I do not see how to modify the majority of what is suggested. Has anyone else ran into something similar?

Topics
Security, Identity, & ComplianceMachine Learning & AIBusiness Applications
Tags
AWS IAM Identity CenterAmazon Q
Language
English
Jason
asked 21 days ago249 views
1 Answer
0
Accepted Answer

So what has helped with this is following: https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/idp-sso.html. Mainly, re-creating the role. The issue is now with KMS being denied by the assumed-role. Once that is figured out, I will post it here (unless others beat me to it). Even with IAM Policy permissions allowing decrypt, seems to be a missing step.

Jason
answered 21 days ago
  • Jason
    21 days ago

    Well, that was a caching thing, apparently. I stepped away and that error is gone, now basically back to 403: User is not subscribed to the application. There are also a ton of CORS errors between oidc.<region>.amazonaws.com/authorize and the Q2 Web interface's URI

  • Jason
    20 days ago

    There seems to be something odd with session policies and it prevents KMS decrypt. So... basically going in circles with this one.

  • Jason
    20 days ago

    I had to end up re-creating a new app and re-index all the documents. For whatever reason, some serious issues came up with both changing subscriptions and using your own KMS key vs the provided KMS key. With that being said, I do think there are still issues (and likely why Q Business is still in preview)

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content