- Newest
- Most votes
- Most comments
Hi There
The --user-id
that you pass in the chat-sync
CLI command is not the same as the user ID that is making the CLI call.
Please run aws sts get-caller-identity
which will show you the current IAM identity/role, and verify the user has the expected permissions. [1]
If you are logged into the AWS Console using SSO, youll probably see something like
"Arn": "arn:aws:sts::1234567890:assumed-role/roleName"
in the output
This is the IAM role that you are assuming when you run the CLI command. Verify that Role has the appropriate permissions
[1] https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/get-caller-identity.html
I ran
aws sts get-caller-identity
to confirm and yes as expected it is an assumed role. That role has the AdministratorAccess AWS managed - job function policy assigned which allows full access to absolutely everything and still it doesn't work (like I say ALL other CLI commands do work from same CLI session). The AWS managed AdministratorAccess policy looks like this:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }
so I don't see what more permissions I can give it.
Have also tried via direct accessKeyId/secretAccessKey user creds (rather than an assumed role) with exactly the same outcome. Perhaps it's more to do with the
--user-id
parameter than who I'm calling as. The docs aren't clear what this user-id is although I've tried everything I can think of and the user is always one with access to the Q Business App and can log in and chat fine via the web experience (I've tried a user with both a Q Buisness Lite and a Q Business Pro subscription). I wonder if anyone has actually got this ChatSync API to work. Would be great to hear some specifics from someone on the--user-id
parameter and their user setup.
I am running into the same problem, with the same setup (Ec2, role, etc). I strongly suspect this is a bug on AWS's end.
I am experiencing the same problem. I created a lambda which has all AmazonQ business permissions then I ran chat-sync against a datasource free Confluence instance setting the userId as the account Confluence ID or the Confluence email. Also, I set the confluence email visible for anyone as the doc says. I checked the indexing process of the docs was executed sucessfully too. Also, I tested it with my user AWS account ID ,who is admin, without any success.
Could you shed any light here? Thank you ;)
Here is a solution to this issue : https://github.com/aws-samples/custom-web-experience-with-amazon-q-business
Relevant content
- asked 4 years ago
- Accepted Answerasked 2 months ago
- asked a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 2 months ago
It is possible the window in which you are running the code might not be getting AWS credentials
--debug
flag.aws s3 ls
I can perform ALL other AWS CLI operations in the very same CLI session/window. This is the only one that fails so perhaps just an Amazon Q Business bug?
I just tested the aws-cli chat-sync api. Please share output of the command adding
--debug
flag at the end of the cli command.`aws qbusiness chat-sync --application-id 818ab2cd-xxxx-xxxx-xxxx-123456ebf8a3 --user-id abcd --user-message "test" --debug
Here is the output of running the CLI command with the --debug flag. I have only replaced security tokens & signatures in the output. These comment windows only allow 1500 characters so I'll have to split into multiple comments. Part 1:
Part 2: