# Connecting Aurora (PostgreSQL) to Amazon Q Business
**Note**
Aurora (PostgreSQL) connector remains fully supported for existing customers through May 31, 2026. While this connector is no longer available for new users, current users can continue to use it without interruption. We are continuously evolving our connector portfolio to offer more scalable and customizable solutions. For future integrations, we recommend exploring the [Amazon Q Business Custom Connector Framework](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/custom-connector.html), designed to support a broader range of enterprise use cases with enhanced flexibility.
Aurora (PostgreSQL) is a relational database management system (RDBMS) built for the cloud. You can connect your Aurora (PostgreSQL) instance to Amazon Q Business—using either the AWS Management Console, CLI, or the [https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) API—and create an Amazon Q web experience.
The Amazon Q Aurora (PostgreSQL) data source connector supports Aurora PostgreSQL 1.
**Important**
As a best practice, provide Amazon Q with read-only database credentials. Also, avoid adding tables with sensitive data or personal identifiable information (PII).
**Topics**
+ [
# Known limitations for the Aurora (PostgreSQL) connector
](aurora-postgresql-limitations.md)
+ [
# Aurora (PostgreSQL) connector overview
](aurora-postgresql-overview.md)
+ [
# Prerequisites for connecting Amazon Q Business to Aurora (PostgreSQL)
](aurora-postgresql-prereqs.md)
+ [
# Connecting Amazon Q Business to Aurora (PostgreSQL) using the console
](aurora-postgresql-console.md)
+ [
# Connecting Amazon Q Business to Aurora (PostgreSQL) using APIs
](aurora-postgresql-api.md)
+ [
# How Amazon Q Business connector crawls Aurora (PostgreSQL) ACLs
](aurora-postgresql-user-management.md)
+ [
# Aurora (PostgreSQL) data source connector field mappings
](aurora-postgresql-field-mappings.md)
+ [
# IAM role for Aurora (PostgreSQL) connector
](aurora-postgresql-iam-role.md)
**Learn more**
+ For an overview of the Amazon Q web experience creation process using IAM Identity Center, see [Configuring an application using IAM Identity Center](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-application.html).
+ For an overview of the Amazon Q web experience creation process using AWS Identity and Access Management, see [Configuring an application using IAM](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-application-iam.html).
+ For an overview of connector features, see [Data source connector concepts](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html).
+ For information about connector configuration best practices, see [Connector configuration best practices](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-best-practices.html).
# Known limitations for the Aurora (PostgreSQL) connector
The Aurora (PostgreSQL) connector has the following known limitations:
+ Deleted database rows will not be tracked in when Amazon Q checks for updated content.
+ The size of field names and values in a row of your database can't exceed 400KB.
+ Column names should only contain alphanumeric characters and not spaces.
+ If you have a large amount of data in your database data source, and do not want Amazon Q to index all your database content after the first sync, you can choose to sync only new, modified, or deleted documents.
# Aurora (PostgreSQL) connector overview
The following table gives an overview of the Amazon Q Business Aurora (PostgreSQL) connector and its supported features.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/aurora-postgresql-overview.html)
# Prerequisites for connecting Amazon Q Business to Aurora (PostgreSQL)
Before you begin, make sure that you have completed the following prerequisites.
**In Aurora (PostgreSQL), make sure you have:**
+ Noted your database username and password.
**Important**
As a best practice, provide Amazon Q with read-only database credentials.
+ Copied your database host URL, port, and instance. You can find this information on the Amazon RDS console.
**In your AWS account, make sure you have:**
+ Created a Amazon Q Business application.
+ Created a [Amazon Q Business retriever and added an index](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/select-retriever.html).
+ Created an [IAM role](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds) for your data source and, if using the Amazon Q API, noted the ARN of the IAM role.
+ Stored your Aurora (PostgreSQL) authentication credentials in an AWS Secrets Manager secret and, if using the Amazon Q API, noted the ARN of the secret.
**Note**
If you’re a console user, you can create the IAM role and Secrets Manager secret as part of configuring your Amazon Q application on the console.
For a list of things to consider while configuring your data source, see [ Data source connector configuration best practices](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-best-practices.html).
# Connecting Amazon Q Business to Aurora (PostgreSQL) using the console
The following procedure outlines how to connect Amazon Q Business to Aurora (PostgreSQL) using the AWS Management Console.
**Connecting Amazon Q to Aurora (PostgreSQL)**
1. Sign in to the AWS Management Console and open the Amazon Q Business console.
1. From the left navigation menu, choose **Data sources**.
1. From the **Data sources** page, choose **Add data source**.
1. Then, on the **Add data sources** page, from **Data sources**, add the **Aurora (PostgreSQL)** data source to your Amazon Q application.
1. Then, on the **Aurora (PostgreSQL)** data source page, enter the following information:
1. **Name and description**, do the following:
+ For **Data source name** – Name your data source for easy tracking.
**Note**
You can include hyphens (-) but not spaces. Maximum of 1,000 alphanumeric characters.
+ **Description – *optional*** – Add an optional description for your data source. This text is viewed only by Amazon Q Business administrators and can be edited later.
1. In **Source**, enter the following information:
1. **Host** – Enter the database host URL, for example: `http://instance URL.region.rds.amazonaws.com`.
1. **Port** – Enter the database port, for example, `5432`.
1. **Instance** – Enter the database instance
1. **Enable SSL certificate location** – Choose to enter the Amazon S3 path to your SSL certificate file.
1. **Authorization** – Amazon Q Business crawls ACL information by default to ensure responses are generated only from documents your end users have access to. If supported for your connector, you can manage ACLs by selecting ** Enable ACLs ** to enable ACLs or **Disable ACLs** to disable them. To manage ACLs, you need specific IAM permissions. See [Grant permission to create data sources with ACLs disabled](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/setting-up.html#DisableAclOnDataSource) for more details. See [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization) for more details.
1. In **Authentication** – Enter the following information for your **AWS Secrets Manager secret**.
1. **Secret name** – A name for your secret.
1. For **Database username**, and **Password** – Enter the authentication credential values you copied from your database.
1. Choose **Save**.
1. **Configure VPC and security group – *optional*** – Choose whether you want to use a VPC. If you do, enter the following information:
1. **Subnets** – Select up to 6 repository subnets that define the subnets and IP ranges the repository instance uses in the selected VPC.
1. **VPC security groups** – Choose up to 10 security groups that allow access to your data source. Ensure that the security group allows incoming traffic from Amazon EC2 instances and devices outside your VPC. For databases, security group instances are required.
For more information, see [VPC](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-vpc).
1. **IAM role** – Choose an existing IAM role or create an IAM role to access your repository credentials and index content.
**Note**
Creating a new service IAM role is recommended.
For more information, see [IAM role](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/aurora-postgresql-connector.html#aurora-postgresql-iam).
1. In **Sync scope**, enter the following information:
+ **SQL query** – Enter SQL query statements like SELECT and JOIN operations. SQL queries must be less than 1000 characters and not contain any semi-colons (;). Amazon Q will crawl all database content that matches your query.
+ **Primary key column** – Provide the primary key for the database table. This identifies the row in the table for which your SQL query is written. The connector uses the primary key column value to identify rows, detect changes, and crawl data.
+ **Title column** – Provide the name of the column in your database table that you want to designate as the column with document titles.
+ **Body column** – Provide the name of the column in your database table that you want to designate as the column with document body text.
Your SQL query can include multiple columns in your table concatenated into a single body column with an assigned alias.
1. **Advanced settings**
**Document deletion safeguard** - *optional*–To safeguard your documents from deletion during a sync job, select **On** and enter an integer between 0 - 100. If the percentage of documents to be deleted in your sync job exceeds the percentage you selected, the delete phase will be skipped and no documents from this data source will be deleted from your index. For more information, see [Document deletion safeguard](connector-concepts.md#document-deletion-safeguard).
1. In **Additional configuration – *optional*** – Configure the following settings:
+ **Change-detecting columns** – Enter the names of the columns that Amazon Q will use to detect content changes. Amazon Q will re-index content when there is a change in any of these columns.
+ **Users' IDs column** – Enter the name of the column which contains User IDs to be allowed access to content.
+ **Groups column** – Enter the name of the column that contains groups to be allowed access to content.
+ **Source URLs column** – Enter the name of the column which contains Source URLs to be indexed.
+ **Time stamps column** – Enter the name of the column which contains time stamps. Amazon Q uses time stamp information to detect changes in your content and sync only changed content.
+ **Time zones column** – Enter the name of the column which contains time zones for the content to be crawled.
+ **Time stamps format** – Enter the name of the column which contains time stamp formats to use to detect content changes and re-sync your content.
1. In **Sync mode**, choose how you want to update your index when your data source content changes. When you sync your data source with Amazon Q for the first time, all content is synced by default.
+ **Full sync** – Sync all content regardless of the previous sync status.
+ **New or modified content sync** – Sync only new and modified documents.
+ **New, modified, or deleted content sync** – Sync only new, modified, and deleted documents.
For more details, see [Sync mode](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-sync-mode).
1. In **Sync run schedule**, for **Frequency** – Choose how often Amazon Q will sync with your data source. For more details, see [Sync run schedule](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-sync-run). To learn how to start a data sync job, see [Starting data source connector sync jobs](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/supported-datasource-actions.html#start-datasource-sync-jobs).
1. **Tags - *optional*** – Add tags to search and filter your resources or track your AWS costs. See [Tags](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/tagging.html) for more details.
1. **Field mappings** – A list of data source document attributes to map to your index fields.
**Note**
Add or update the fields from the **Data source details** page after you finish adding your data source. You can choose from two types of fields:
1. **Default** – Automatically created by Amazon Q on your behalf based on common fields in your data source. You can't edit these.
1. **Custom** – Automatically created by Amazon Q on your behalf based on common fields in your data source. You can edit these. You can also create and add new custom fields.
**Note**
Support for adding custom fields varies by connector. You won't see the **Add field** option if your connector doesn't support adding custom fields.
For more information, see [Field mappings](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-field-mappings).
1. In **Data source details**, choose **Sync now** to allow Amazon Q to begin syncing (crawling and ingesting) data from your data source. When the sync job finishes, your data source is ready to use.
**Note**
View CloudWatch logs for your data source sync job by selecting **View CloudWatch logs**. If you encounter a `Resource not found exception` error, wait and try again as logs may not be available immediately.
You can also view a detailed document-level report by selecting **View Report**. This report shows the status of each document during the crawl, sync, and index stages, including any errors. If the report is empty for an in-progress job, check back later as data is emitted to the report as events occur during the sync process.
For more information, see [Troubleshooting data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/troubleshooting-data-sources.html#troubleshooting-data-sources-not-indexed).
# Connecting Amazon Q Business to Aurora (PostgreSQL) using APIs
You use the [https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) action to connect a data source to your Amazon Q application.
Then, you use the `configuration` parameter to provide a JSON schema with all other configuration information specific to your data source connector.
## Aurora (PostgreSQL) JSON schema
The following is the Aurora (PostgreSQL) JSON schema:
```
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"connectionConfiguration": {
"type": "object",
"properties": {
"repositoryEndpointMetadata": {
"type": "object",
"properties": {
"dbType": {
"type": "string",
"enum": [
"mysql",
"db2",
"postgresql",
"oracle",
"sqlserver"
]
},
"dbHost": {
"type": "string"
},
"dbPort": {
"type": "string"
},
"dbInstance": {
"type": "string"
}
},
"required": [
"dbType",
"dbHost",
"dbPort",
"dbInstance"
]
}
},
"required": [
"repositoryEndpointMetadata"
]
},
"repositoryConfigurations": {
"type": "object",
"properties": {
"document": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string"
},
"dataSourceFieldName": {
"type": "string"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
},
"required": [
"fieldMappings"
]
}
},
"required": [
]
},
"additionalProperties": {
"type": "object",
"properties": {
"primaryKey": {
"type": "string"
},
"titleColumn": {
"type": "string"
},
"bodyColumn": {
"type": "string"
},
"sqlQuery": {
"type": "string",
"not": {
"pattern": ";+"
}
},
"timestampColumn": {
"type": "string"
},
"timestampFormat": {
"type": "string"
},
"timezone": {
"type": "string"
},
"changeDetectingColumns": {
"type": "array",
"items": {
"type": "string"
}
},
"allowedUsersColumn": {
"type": "string"
},
"allowedGroupsColumn": {
"type": "string"
},
"sourceURIColumn": {
"type": "string"
},
"serverlessAurora": {
"type": "string",
"enum": ["true", "false"]
}
},
"required": ["primaryKey", "titleColumn", "bodyColumn", "sqlQuery"]
},
"type" : {
"type" : "string",
"pattern": "JDBC"
},
"syncMode": {
"type": "string",
"enum": [
"FORCED_FULL_CRAWL",
"FULL_CRAWL",
"CHANGE_LOG"
]
},
"secretArn": {
"type": "string",
"minLength": 20,
"maxLength": 2048
}
},
"version": {
"type": "string",
"anyOf": [
{
"pattern": "1.0.0"
}
]
},
"required": [
"connectionConfiguration",
"repositoryConfigurations",
"syncMode",
"additionalProperties",
"secretArn",
"type"
]
}
```
The following table provides information about important JSON keys to configure.
| Configuration | Description |
| --- | --- |
| connectionConfiguration | Configuration information for the endpoint for the data source. |
| repositoryEndpointMetadata | Required configuration information for connecting your data source.[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/aurora-postgresql-api.html) |
| repositoryConfigurations | Configuration information for the content of the data source. For example, configuring specific types of content and field mappings. Specify the type of data source and the secret ARN. |
| document | A list of objects that map the attributes or field names of your database content to Amazon Q index field names. For more information, see [Fiel](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-field-mappings). |
| additionalProperties | Additional configuration options for your content in your data source. Use to include or exclude specific content in your database data source. |
| primaryKey | Provide the primary key for the database table. This identifies the row in the table for which your SQL query is written. The connector uses the primary key column value to identify rows, detect changes, and crawl data. |
| titleColumn | Provide the name of the column in your database table that you want to designate as the column with document titles. |
| bodyColumn | Provide the name of the column in your database table that you want to designate as the column with document body text. Your SQL query can include multiple columns in your table concatenated into a single body column with an assigned alias. |
| sqlQuery | Enter SQL query statements like SELECT and JOIN operations. SQL queries must be less than 1000 characters and not contain any semi-colons (;). Amazon Q will crawl all database content that matches your query. |
| timestampColumn | Enter the name of the column which contains time stamps. Amazon Q uses time stamp information to detect changes in your content and sync only changed content. |
| timestampFormat | Enter the name of the column which contains time stamp formats to use to detect content changes and re-sync your content. |
| timezone | Enter the name of the column which contains time zones for the content to be crawled. |
| changeDetectingColumns | Enter the names of the columns that Amazon Q will use to detect content changes. Amazon Q will re-index content when there is a change in any of these columns |
| allowedUsersColumns | Enter the name of the column which contains User IDs to be allowed access to content. |
| allowedGroupsColumn | Enter the name of the column which contains User IDs to be allowed access to content. |
| sourceURIColumn | Enter the name of the column which contains Source URLs to be indexed. |
| isSslEnabled | true to add a path to an SSL certificate file stored in an Amazon S3 bucket. |
| type | The type of data source. Specify JDBC as your data source type. |
| syncMode | Specify whether Amazon Q should update your index by syncing all documents or only new, modified, and deleted documents. You can choose [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/aurora-postgresql-api.html) |
| secretArn | The Amazon Resource Name (ARN) of a Secrets Manager secret that contains username and password required to connect to your database. The secret must contain a JSON structure with the following keys: {
"username": "database username",
"password": "password"
} |
| version | The version of the template that is currently supported. |
# How Amazon Q Business connector crawls Aurora (PostgreSQL) ACLs
When you connect a database data source to Amazon Q Business, Amazon Q Business crawls user and group information from a column in the source table. You specify this column in the console or using the `configuration` parameter as part of the `CreateDataSource` operation.
Activating ACL crawling allows the system to filter chat responses based on your end users' document access levels.
Prerequisites:
+ The group ACL column in the database should be a string containing a semicolon delimited list of groups.
+ The user ACL column in the database should be a string containing a semicolon delimited list of users.
A database data source has the following limitation:
+ You can only specify an allow list for a database data source. You can't specify a deny list.
For more information, see:
+ [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization)
+ [Identity crawler](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-identity-crawler)
+ [Understanding User Store](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-principal-store.html)
# Aurora (PostgreSQL) data source connector field mappings
To improve retrieved results and customize the end user chat experience, Amazon Q enables you to map document attributes from your data sources to fields in your Amazon Q index.
Amazon Q offers two kinds of attributes to map to index fields:
+ **Reserved or default** – Reserved attributes are based on document attributes that commonly occur in most data. You can use reserved attributes to map commonly occurring document attributes in your data source to Amazon Q index fields.
+ **Custom** – You can create custom attributes to map document attributes that are unique to your data to Amazon Q index fields.
When you connect Amazon Q to a data source, Amazon Q automatically maps specific data source document attributes to fields within an Amazon Q index. If a document attribute in your data source doesn't have a attribute mapping already available, or if you want to map additional document attributes to index fields, use the custom field mappings to specify how a data source attribute maps to an Amazon Q index field. You create field mappings by editing your data source after your application and retriever are created.
To learn more about document attributes and how they work in Amazon Q, see [Document attributes and types in Amazon Q](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/doc-attributes.html).
**Important**
Filtering using document attributes in chat is only supported through the API.
The Amazon Q PostgreSQL connector supports the following field mappings:
**Topics**
+ [
## Document
](#aurora-postgresql-field-mappings-document)
## Document
| JDBC field name | Index field name | Description | Data type |
| --- | --- | --- | --- |
| jd\$1document\$1id | jd\$1document\$1id | Custom | String |
| jd\$1document\$1title | jd\$1document\$1title | Custom | String |
| jd\$1source\$1uri | \$1source\$1uri | Default | String |
# IAM role for Aurora (PostgreSQL) connector
If you use the AWS CLI or an AWS SDK, you must create an AWS Identity and Access Management (IAM) policy before you create an Amazon Q resource. When you call the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) operation, you provide the Amazon Resource Name (ARN) role with the policy attached.
If you use the AWS Management Console, you can create a new IAM role in the Amazon Q console or use an existing IAM role.
To learn more about IAM roles, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) in the *AWS Identity and Access Management User Guide*.
To connect your data source connector to Amazon Q, you must give Amazon Q an IAM role that has the following permissions:
+ Permission to access the `BatchPutDocument` and `BatchDeleteDocument` operations to ingest documents.
+ Permission to access the [User Store](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-principal-store.html) API operations to ingest user and group access control information from documents.
+ Permission to access your AWS Secrets Manager secret to authenticate your data source connector instance.
+ Permission to access the SSL certificate stored in your Amazon S3 bucket.
+ **(Optional)** If you're using Amazon VPC, permission to access your Amazon VPC.
```
{
"Version": "2012-10-17", ,
"Statement": [{
"Sid": "AllowsAmazonQToGetS3Objects",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::{{input_bucket_name}}/*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "{{account_id}}"
}
}
},
{
"Sid": "AllowsAmazonQToGetSecret",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Sid": "AllowsAmazonQToDecryptSecret",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Sid": "AllowsAmazonQToIngestDocuments",
"Effect": "Allow",
"Action": [
"qbusiness:BatchPutDocument",
"qbusiness:BatchDeleteDocument"
],
"Resource": [
"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}",
"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/index/{{index_id}}"
]
},
{
"Sid": "AllowsAmazonQToIngestPrincipalMapping",
"Effect": "Allow",
"Action": [
"qbusiness:PutGroup",
"qbusiness:CreateUser",
"qbusiness:DeleteGroup",
"qbusiness:UpdateUser",
"qbusiness:ListGroups"
],
"Resource": [
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}",
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}",
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}/data-source/*"
]
},
{
"Sid": "AllowsAmazonQToCreateAndDeleteNI",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
],
"Resource": [
"arn:aws:ec2:{{region}}:{{account_id}}:subnet/[[subnet_ids]]",
"arn:aws:ec2:{{region}}:{{account_id}}:security-group/[[security_group]]"
]
},
{
"Sid": "AllowsAmazonQToCreateAndDeleteNIForSpecificTag",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringLike": {
"aws:RequestTag/AMAZON_Q": "qbusiness_{{account_id}}_{{application_id}}_*"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"AMAZON_Q"
]
}
}
},
{
"Sid": "AllowsAmazonQToCreateTags",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateNetworkInterface"
}
}
},
{
"Sid": "AllowsAmazonQToCreateNetworkInterfacePermission",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringLike": {
"aws:ResourceTag/AMAZON_Q": "qbusiness_{{account_id}}_{{application_id}}_*"
}
}
},
{
"Sid": "AllowsAmazonQToDescribeResourcesForVPC",
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeVpcs",
"ec2:DescribeRegions",
"ec2:DescribeNetworkInterfacePermissions",
"ec2:DescribeSubnets"
],
"Resource": "*"
}
]
}
```
**To allow Amazon Q to assume a role, you must also use the following trust policy:**
```
{
"Version": "2012-10-17", ,
"Statement": [
{
"Sid": "AllowsAmazonQToAssumeRoleForServicePrincipal",
"Effect": "Allow",
"Principal": {
"Service": "qbusiness.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{source_account}}"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}"
}
}
}
]
}
```
For more information on Amazon Q data source connector IAM roles, see [IAM roles for Amazon Q data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds).