Get Document Content API call returns AccessDeniedException

Question

Hi,

I am trying to get access to the Q Business index documents and am wondering if it is available or I am just doing something wrong.

* My Q Business application is configured to use IAM Identity Center.
* I have added the user to the Q Business application under a Q Business Lite subscription
* A permission set was created and assigned to the user that gives the user `qbusiness:*` permissions on the index and application resources
* I log into the CLI to the permission set via `aws configure sso`
* I can then freely run `aws qbusiness list-documents --application-id "app_id" --index-id "idx_id"  --profile QBusiness` which returns a list of document_ids for the application and index. Those ids are website links since that output is from a website crawler.
* I then try to run `aws qbusiness get-document-content --application-id "app_id" --index-id "idx_id" --document-id "https://sample.com/articles/fall-sample?hsLang=en"  --profile Admin`

I keep getting the following error: 
`An error occurred (AccessDeniedException) when calling the GetDocumentContent operation: User is not authorized for this service call.`

I have tried it with a random article name as well and it also returns AccessDeniedException which makes me wonder if I am not sending the document id in the correct way.

re:Post Agent · Answer

The AccessDeniedException you're encountering with the GetDocumentContent API call could be due to several factors:

1. Authentication Method: Since your Q Business application is configured with IAM Identity Center, you need to use an identity-aware session. The error suggests that the authentication method you're using might not be properly passing your identity context to the API.

2. Profile Mismatch: I notice you're using the "QBusiness" profile for list-documents but switching to the "Admin" profile for get-document-content. This inconsistency could be causing the authorization failure. Try using the same profile for both operations.

3. Document Access Control: The GetDocumentContent API validates user authorization against document Access Control Lists (ACLs) before returning content. Even if you have general permissions to the Q Business application, you might not have specific access to the particular document you're trying to retrieve.

4. Document ID Format: The document ID you're using (a full URL) might not be in the correct format expected by the API. The GetDocumentContent API expects the document ID as it's stored in the index, which might not be the full URL.

To troubleshoot:

1. Use the same profile for both operations (stick with the QBusiness profile that worked for list-documents)
2. Try using the CheckDocumentAccess API to verify if you have access to the specific document
3. Ensure the document ID format is correct - you might need to encode the URL or use a different identifier
4. Verify that your permission set includes not just broad qbusiness:* permissions but specifically the permissions needed for document content retrieval

If these steps don't resolve the issue, it's possible that the GetDocumentContent functionality might have specific requirements or limitations that aren't fully addressed in your current setup.  
**Sources**  
[GetDocumentContent - Amazon Q Business](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_GetDocumentContent.html)  
[AccessDeniedException - ChatSync operation (IAM Identity Center) | AWS re:Post](https://repost.aws/questions/QUjRTi4Qx-SXSMzHLjDCyj9A/accessdeniedexception-chatsync-operation-iam-identity-center)  
[CheckDocumentAccess - Amazon Q Business](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CheckDocumentAccess.html)

Get Document Content API call returns AccessDeniedException

Add your answer

Relevant content