# Connecting Google Drive to Amazon Q Business
Google Drive is a cloud-based file storage service. Amazon Q Business can connect to your Google Drive instances. You can connect Google Drive instance to Amazon Q—using either the AWS Management Console or the [https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) API—and create an Amazon Q web experience.
After you integrate Amazon Q with Google Drive, users can ask questions about content stored in their Google Drive. For example, users can inquire about key findings from Google Docs, presentation highlights from Google Slides, or search for specific information across multiple document types. The integration enables users to quickly access and understand information from their Google Drive content, regardless of file location or type, while providing contextual details such as publication dates, modification history, and document ownership—all contributing to more efficient information discovery and better-informed decision making.
**Topics**
+ [Connecting Google Drive to Amazon Q Business (New)](googledrive-v2-connector-primary.md)
+ [Connecting Google Drive to Amazon Q Business (Original)](googledrive-v1-connector-primary1.md)
**Learn more**
+ For an overview of the Amazon Q web experience creation process using IAM Identity Center, see [Configuring an application using IAM Identity Center](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-application.html).
+ For an overview of the Amazon Q web experience creation process using AWS Identity and Access Management, see [Configuring an application using IAM](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-application-iam.html).
+ For an overview of connector features, see [Data source connector concepts](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html).
+ For information about connector configuration best practices, see [Connector configuration best practices](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-best-practices.html).
# Connecting Google Drive to Amazon Q Business (New)
With the new connector, you can build and refresh your index significantly faster than before, control the sync scope using a date filter, and enable your end-users to get insights from link sharing-enabled documents that they have accessed before. The new Google Drive connector also performs targeted identity crawls, eliminating the need to crawl all groups within an enterprise.
# Known limitations for the Amazon Q Business Google Drive connector
The Amazon Q Google Drive connector new has the following known limitations:
+ Comments synchronization is not supported in the new version.
+ VPC connectivity is not supported.
+ Custom field mappings are not supported.
+ File type pattern filtering is not supported (use MIME type filtering instead).
+ Document enrichment is not supported.
# Google Drive connector overview
The following table gives an overview of the Amazon Q Business Google Drive connector new and its supported features.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/googledrive-v2-overview-primary.html)
# Prerequisites for connecting Amazon Q Business to Google Drive
Before you begin, make sure that you have completed the following prerequisites.
**In Google Drive, make sure you have:**
+ **Either** been granted access by a super admin role **or** are a user with administrative privileges. You do not need a super admin role for yourself if you have been granted access by a super admin role.
+ Configured Google Drive Service Account connection credentials containing your admin account email, client email (service account email), and private key. See [Google Cloud documentation on creating and deleting service account keys](https://cloud.google.com/iam/docs/keys-create-delete).
+ Created a Google Cloud Service Account (an account with delegated authority to assume a user identity) with **Enable G Suite Domain-wide Delegation** activated for server-to-server authentication, and then generated a JSON private key using the account.
**Note**
The private key should be generated after the creation of the service account.
+ Added Admin SDK API and Google Drive API in your user account.
+ Added (or asked a user with a super admin role to add) the following OAuth scopes to your service account using a super admin role. These API scopes are needed to crawl all documents, and access control (ACL) information for all users in a Google Workspace domain:
+ https://www.googleapis.com/auth/drive.readonly—View and download all your Google Drive files
+ https://www.googleapis.com/auth/drive.metadata.readonly—View metadata for files in your Google Drive
+ https://www.googleapis.com/auth/admin.directory.group.readonly—Scope for only retrieving group, group alias, and member information. This is needed for the Amazon Q Identity Crawler.
+ https://www.googleapis.com/auth/admin.directory.user.readonly—Scope for only retrieving users or user aliases. This is needed for listing users in the Amazon Q Identity Crawler and for setting ACLs.
+ https://www.googleapis.com/auth/cloud-platform—Scope for generating access token for fetching content of large Google Drive files.
+ https://www.googleapis.com/auth/forms.body.readonly—Scope for fetching data from Google Forms.
** To support the Forms API, add the following additional scope:**
+ https://www.googleapis.com/auth/forms.body.readonly
**In your AWS account, make sure you have:**
+ Created a Amazon Q Business application.
+ Created a [Amazon Q Business retriever and added an index](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/select-retriever.html).
+ Created an [IAM role](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds) for your data source and, if using the Amazon Q API, noted the ARN of the IAM role.
+ Stored your Google Drive authentication credentials in an AWS Secrets Manager secret and, if using the Amazon Q API, noted the ARN of the secret.
**Note**
If you’re a console user, you can create the IAM role and Secrets Manager secret as part of configuring your Amazon Q application on the console.
For a list of things to consider while configuring your data source, see [ Data source connector configuration best practices](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-best-practices.html).
# Connecting Amazon Q Business to Google Drive using the console
The following procedure outlines how to connect Amazon Q Business to Google Drive new using the AWS Management Console.
**Connecting Amazon Q to Google Drive new**
1. Sign in to the AWS Management Console and open the Amazon Q Business console.
1. From the left navigation menu, choose **Data sources**.
1. From the **Data sources** page, choose **Add data source**.
1. Then, on the **Add data sources** page, from **Data sources**, add the **Google Drive** data source to your Amazon Q application.
1. Then, on the **Google Drive** data source page, enter the following information:
1. **Name and description**, do the following:
+ For **Data source name** – Name your data source for easy tracking.
**Note**
You can include hyphens (-) but not spaces. Maximum of 1,000 alphanumeric characters.
+ **Description – *optional*** – Add an optional description for your data source. This text is viewed only by Amazon Q Business administrators and can be edited later.
1. In **Authorization**, configure access control settings: Amazon Q Business crawls ACL information by default to ensure responses are generated only from documents your end users have access to. If supported for your connector, you can manage ACLs by selecting *Enable ACLs* to enable ACLs or *Disable ACLs* to disable them. To manage ACLs, you need specific IAM permissions. See [Grant permission to create data sources with ACLs disabled](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/setting-up.html#DisableAclOnDataSource) for more details. See [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization)for more details.
1. **AWS Secrets Manager secret** – Choose an existing secret or create a secret to store your GoogleDrive authentication credentials. If you choose to create a secret, an AWS Secrets Manager secret window opens.
1. If you choose **Existing**, select an existing secret for **Select secret**.
If you choose **New**, enter the following information in the **New AWS Secrets Manager secret** section:
1. **Secret name** – A name for your secret.
1. Enter the following information:
+ **Secret Name** – A name for your secret.
+ **Admin account email** – The email ID of the admin user (the email used by the Service Account User) in your Google service account configuration.
+ **Client email** – The email ID of the service account.
+ **Private Key** – The private key created in your service account.
Then, choose **Save and add secret**.
1. In **Identity crawler**, configure identity crawling settings:
1. **Identity crawling has been turned on for your connector as the ACLs are enabled** – This notification appears when ACLs are enabled.
1. **Manage identity crawling logs** – When enabled, CloudWatch logs will show identities associated with local groups, as crawled during each sync job. If you disable this option post sync job completion (or partial run), you'll need to manually delete any associated identity crawling logs already generated.
+ **Enable identity crawling logs** – Identities crawled during data source sync will be logged.
+ **Disable identity crawling logs** – Identities crawled during data source sync will not be logged.
1. **IAM role** – Amazon Q Business requires an IAM role to access repository credentials and application content:
1. **Choose an option** – Select an existing IAM role or create a new one.
1. In **Sync scope**, configure which content to sync:
1. **Sync contents** – Choose the following options to select contents to sync. To further limit the contents that you want to sync for specific folders or files use the 'Entity regex patterns':
+ **My Drive** – Selected by default. Use this option if you want the files in all of your users’ My Drives to be included.
+ **Shared with me** – Selected by default. Use this option if you want the files from 'Shared with me' to be included.
+ **Shared Drives** – Selected by default. Use this option if you want to include shared drives. You can use the shared drive filter (see below) to sync files from specific shared drives.
1. For **Maximum file size** – You can specify the file size limit in GB for Amazon Q crawling. Amazon Q crawls only files within the defined size limit. The default file size is 50MB. The maximum file size limit is 10 GB. Files must be larger than 0 MB and no larger than 10 GB. You can go up to 10 GB (10240 MB) if you enable **Video files** in **Multi-media content** configuration, and up to 2 GB (2048 MB) if you enable **Audio files** in **Multi-media content configuration**.
1. In **Additional configuration - *optional***, configure additional filtering options. All content will be indexed by default. However, you can also limit the scope with these additional options:
1. **Date filter** – Add a date range to filter content based on the last modified date:
+ **Start date** – Enter the start date in YYYY/MM/DD format.
+ **End date - *optional*** – Enter the end date in YYYY/MM/DD format.
1. **Shared drives** – Add IDs of shared drives you want to include or exclude in your application:
+ **Include shared drives** – Add shared drive IDs to include.
+ **Exclude shared drives** – Add shared drive IDs to exclude.
1. **Mime types** – Add Mime types to include or exclude in Google Drive account:
+ **Include mime types** – Add MIME types to include (e.g., `application/vnd.google-apps.document` for Google Docs, `application/pdf` for PDF files).
+ **Exclude mime types** – Add MIME types to exclude.
1. **Multi-media content configuration – optional** – To enable content extraction from embedded images and visuals in documents, choose **Visual content in documents**. For more information, see [Extracting semantic meaning from embedded images and visuals](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/extracting-meaning-from-images.html).
To extract audio transcriptions and video content, enable **Audio Files**. To extract video content, enable **Video files**. For more information, see [Extracting semantic meaning from audio and video Content](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/Audio-video-extraction.html).
1. **Advanced settings**
**Document deletion safeguard** - *optional*–To safeguard your documents from deletion during a sync job, select **On** and enter an integer between 0 - 100. If the percentage of documents to be deleted in your sync job exceeds the percentage you selected, the delete phase will be skipped and no documents from this data source will be deleted from your index. For more information, see [Document deletion safeguard](connector-concepts.md#document-deletion-safeguard).
1. In **Sync run schedule**, for **Frequency** – Choose how often Amazon Q will sync with your data source. For more details, see [Sync run schedule](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-sync-run). To learn how to start a data sync job, see [Starting data source connector sync jobs](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/supported-datasource-actions.html#start-datasource-sync-jobs).
1. **Tags - *optional*** – Add tags to search and filter your resources or track your AWS costs. See [Tags](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/tagging.html) for more details.
1. In **Data source details**, choose **Sync now** to allow Amazon Q to begin syncing (crawling and ingesting) data from your data source. When the sync job finishes, your data source is ready to use.
**Note**
View CloudWatch logs for your data source sync job by selecting **View CloudWatch logs**. If you encounter a `Resource not found exception` error, wait and try again as logs may not be available immediately.
You can also view a detailed document-level report by selecting **View Report**. This report shows the status of each document during the crawl, sync, and index stages, including any errors. If the report is empty for an in-progress job, check back later as data is emitted to the report as events occur during the sync process.
For more information, see [Troubleshooting data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/troubleshooting-data-sources.html#troubleshooting-data-sources-not-indexed).
# IAM role for Amazon Q Business Google Drive connector
If you use the AWS CLI or an AWS SDK, you must create an AWS Identity and Access Management (IAM) policy before you create an Amazon Q resource. When you call the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) operation, you provide the Amazon Resource Name (ARN) role with the policy attached.
If you use the AWS Management Console, you can create a new IAM role in the Amazon Q console or use an existing IAM role.
To learn more about IAM roles, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) in the *AWS Identity and Access Management User Guide*.
To connect your data source connector to Amazon Q, you must give Amazon Q an IAM role that has the following permissions:
+ Permission to access the `BatchPutDocument` and `BatchDeleteDocument` operations to ingest documents.
+ Permission to access the [User Store](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-principal-store.html) API operations to ingest user and group access control information from documents.
+ Permission to access your AWS Secrets Manager secret to authenticate your data source connector instance.
```
{
"Version": "2012-10-17", ,
"Statement": [
{
"Sid": "AllowsAmazonQToGetSecret",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:{{secret_id}}"
]
},
{
"Sid": "AllowsAmazonQToDecryptSecret",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/{{key_id}}"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Sid": "AllowsAmazonQToIngestDocuments",
"Effect": "Allow",
"Action": [
"qbusiness:BatchPutDocument",
"qbusiness:BatchDeleteDocument"
],
"Resource": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/index/{{index_id}}"
},
{
"Sid": "AllowsAmazonQToCallPrincipalMappingAPIs",
"Effect": "Allow",
"Action": [
"qbusiness:PutGroup",
"qbusiness:CreateUser",
"qbusiness:DeleteGroup",
"qbusiness:UpdateUser",
"qbusiness:ListGroups"
],
"Resource": [
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}",
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}",
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}/data-source/*"
]
}
]
}
```
**To allow Amazon Q to assume a role, you must also use the following trust policy:**
```
{
"Version": "2012-10-17", ,
"Statement": [
{
"Sid": "AllowsAmazonQServicePrincipal",
"Effect": "Allow",
"Principal": {
"Service": "qbusiness.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{source_account}}"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}"
}
}
}
]
}
```
For more information on Amazon Q data source connector IAM roles, see [IAM roles for Amazon Q data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds).
# How Amazon Q Business connector crawls Google Drive ACLs
Connectors support crawling ACL and identity information where applicable based on the data source. If you index documents without ACLs, all documents are considered public. Indexing documents with ACLs ensures data security.
Amazon Q Business supports crawling ACLs for document security by default.
The Google Drive connector for Amazon Q Business crawls files with enhanced performance. It supports various file formats, including spreadsheets, presentations, images, audio/video files, and Google Docs™.
**Roles/permissions**: The Google Drive connector translates Google Drive permissions into ACLs that are compatible with Amazon Q Business. There are four primary roles with permissions:
+ Owner - Has full control.
+ Editor - Can modify content, update metadata, and add or remove comments.
+ Commenter - Can view content and add comments.
+ Viewer - Has read-only access.
**Permission Inheritance**: The Google Drive connector is designed to detect and handle hierarchical content organization across My Drive and Shared Drives with improved efficiency. By default, files and subfolders inherit permissions from parent folders. Permissions can be explicitly modified at either the file or folder level to override inherited settings. In this case, the ACLs are a union of the parent ACLs and child ACLs.
**Identity Crawling**: Domain-wide access is supported using service account authentication. Google Drive supports nested groups, meaning that one group can be a member of another. The connector handles complex group structures by flattening group memberships and ensuring that permissions are applied correctly across all levels.
**Change Management**: ACL changes are automatically detected and processed during incremental synchronization.
**Failure handling**: The connector implements a fail-close approach, meaning that if there are permissions-related issues or API failures, a document is skipped from ingestion rather than being made publicly accessible.
# Connecting Amazon Q Business to GoogleDrive using API
You use the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) action to connect a data source to your Amazon Q application. You can also use the [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) action to modify an existing data source configuration.
Then, you use the `configuration` parameter to provide a JSON blob that conforms the AWS-defined JSON schema.
For an example of the API request, see [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) and [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) in the Amazon Q API Reference.
**Topics**
+ [Google Drive configuration properties](#google-configuration-keys)
+ [Google Drive JSON schema](#googledrive-v2-json)
+ [GoogleDrive JSON schema example](#googledrive-v2-json-example)
+ [GoogleDrive minimal configuration example](#googledrive-v2-json-minimal-example)
## Google Drive configuration properties
The following provides information about important configuration properties required in the schema.
| Configuration | Description | Type | Required |
| --- | --- | --- | --- |
| type | The connector type. Must be GOOGLEDRIVEV3. | string | Yes |
| connectionConfiguration | Configuration information for the data source connection. | `object` This property has the following sub-properties: `secretArn`, `authType`. | Yes |
| secretArn | The Amazon Resource Name (ARN) of the AWS Secrets Manager secret that contains the Google Drive credentials. | string | Yes |
| authType | The authentication type. The valid value is: SERVICE\$1ACCOUNT. | string | Yes |
| dataEntityConfiguration | Configuration for which Google Drive entities to crawl. | `object` This property has the following sub-properties: `crawlMyDrive`, `crawlSharedWithMe`, `crawlSharedDrives`. | Yes |
| crawlMyDrive | Whether to crawl the user's personal drive. Default is true. | boolean | No |
| crawlSharedWithMe | Whether to crawl files shared with the user. Default is true. | boolean | No |
| crawlSharedDrives | Whether to crawl shared drives. Default is true. | boolean | No |
| accessControlConfiguration | Configuration for access control list (ACL) crawling. | `object` This property has the following sub-property: `crawlAcl`. | Yes |
| crawlAcl | Whether to crawl access control lists for documents. | boolean | No |
| filterConfiguration | Configuration for filtering which content to crawl. | `object` Contains various filtering options including shared drives, MIME types, and date ranges. | No |
| maxFileSizeInMegaBytes | Maximum file size to crawl in megabytes. | string | No |
| exclusionSharedDriveIds | Array of shared drive IDs to exclude from crawling. Maximum 1024 entries. | array | No |
| inclusionSharedDriveIds | Array of shared drive IDs to include in crawling. Maximum 1024 entries. | array | No |
| exclusionMimeTypes | Array of MIME types to exclude from crawling. Maximum 1024 entries. | array | No |
| inclusionMimeTypes | Array of MIME types to include in crawling. Maximum 1024 entries. | array | No |
| modifiedDateBefore | Only crawl files modified before this date. ISO 8601 format (e.g., 2024-12-31T23:59:59Z). | string | No |
| modifiedDateAfter | Only crawl files modified after this date. ISO 8601 format (e.g., 2024-01-01T00:00:00Z). | string | No |
| crawlIdentities | Whether to crawl user and group identities. Not supported in new. | boolean | No |
| deletionProtectionConfiguration | Configuration for deletion protection settings. | `object` This property has the following sub-properties: `enableDeletionProtection`, `deletionProtectionThreshold`. | No |
| enableDeletionProtection | Whether to enable deletion protection. | boolean | No |
| deletionProtectionThreshold | Threshold percentage for deletion protection. | string | No |
| version | Version of the connector configuration. | string | No |
| identityLoggingStatus | Status of identity logging. Valid values are ENABLED and DISABLED. | string | No |
## Google Drive JSON schema
The following is the Google Drive New JSON schema:
```
{
"type": "object",
"properties": {
"type": {
"type": "string",
"enum": ["GOOGLEDRIVEV3"]
},
"connectionConfiguration": {
"type": "object",
"properties": {
"secretArn": {
"type": "string",
"minLength": 20,
"maxLength": 2048
},
"authType": {
"type": "string",
"enum": ["SERVICE_ACCOUNT"]
}
},
"required": ["secretArn", "authType"]
},
"dataEntityConfiguration": {
"type": "object",
"properties": {
"crawlMyDrive": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
},
"crawlSharedWithMe": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
},
"crawlSharedDrives": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
}
}
},
"filterConfiguration": {
"type": "object",
"properties": {
"maxFileSizeInMegaBytes": {
"type": "string"
},
"exclusionSharedDriveIds": {
"type": "array",
"maxItems": 1024,
"items": {
"type": "string"
}
},
"inclusionSharedDriveIds": {
"type": "array",
"maxItems": 1024,
"items": {
"type": "string"
}
},
"exclusionMimeTypes": {
"type": "array",
"maxItems": 1024,
"items": {
"type": "string"
}
},
"inclusionMimeTypes": {
"type": "array",
"maxItems": 1024,
"items": {
"type": "string"
}
},
"modifiedDateBefore": {
"type": "string",
"format": "date-time",
"description": "ISO 8601 date-time format (e.g., 2024-12-31T23:59:59Z)"
},
"modifiedDateAfter": {
"type": "string",
"format": "date-time",
"description": "ISO 8601 date-time format (e.g., 2024-01-01T00:00:00Z)"
}
}
},
"accessControlConfiguration": {
"type": "object",
"properties": {
"crawlAcl": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
}
}
},
"crawlIdentities": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
},
"deletionProtectionConfiguration": {
"type": "object",
"properties": {
"enableDeletionProtection": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
},
"deletionProtectionThreshold": {
"type": "string"
}
}
},
"version": {
"type": "string"
},
"identityLoggingStatus": {
"type": "string",
"enum": ["ENABLED", "DISABLED"]
}
},
"required": ["type", "connectionConfiguration", "dataEntityConfiguration", "accessControlConfiguration"]
}
```
## GoogleDrive JSON schema example
The following is the GoogleDrive New JSON schema example:
```
{
"type": "GOOGLEDRIVEV3",
"connectionConfiguration": {
"secretArn": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-google-drive-secret",
"authType": "SERVICE_ACCOUNT"
},
"dataEntityConfiguration": {
"crawlMyDrive": true,
"crawlSharedWithMe": true,
"crawlSharedDrives": true
},
"filterConfiguration": {
"maxFileSizeInMegaBytes": "50",
"exclusionSharedDriveIds": ["SharedDrive1"],
"inclusionSharedDriveIds": ["SharedDrive2"],
"exclusionMimeTypes": ["application/vnd.google-apps.folder"],
"inclusionMimeTypes": ["application/pdf", "application/vnd.google-apps.document"],
"modifiedDateBefore": "2024-12-31T23:59:59Z",
"modifiedDateAfter": "2024-01-01T00:00:00Z"
},
"accessControlConfiguration": {
"crawlAcl": true
},
"crawlIdentities": true,
"deletionProtectionConfiguration": {
"enableDeletionProtection": false,
"deletionProtectionThreshold": "10"
},
"version": "3.0.0",
"identityLoggingStatus": "DISABLED"
}
```
## GoogleDrive minimal configuration example
The following is the minimum required configuration for GoogleDrive New:
```
{
"type": "GOOGLEDRIVEV3",
"connectionConfiguration": {
"secretArn": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-google-drive-secret",
"authType": "SERVICE_ACCOUNT"
},
"dataEntityConfiguration": {
"crawlMyDrive": true,
"crawlSharedWithMe": false,
"crawlSharedDrives": false
},
"accessControlConfiguration": {
"crawlAcl": false
}
}
```
# Connecting Amazon Q Business to Google Drive using AWS CloudFormation
You use the [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-datasource.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-datasource.html) resource to connect a data source to your Amazon Q application.
Use the [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-datasource.html#cfn-qbusiness-datasource-applicationid](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-datasource.html#cfn-qbusiness-datasource-applicationid) property to provide a JSON or YAML schema with the necessary configuration details specific to your data source connector.
To learn more about AWS CloudFormation, see [What is AWS CloudFormation?](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) in the *CloudFormation User Guide*.
**Topics**
+ [Google Drive New CloudFormation template](#googledrive-v2-cfn-template)
## Google Drive New CloudFormation template
The following is the Google Drive New CloudFormation template. Copy and save this template to a file on your local drive.
For more information about CloudFormation templates, see [Working with CloudFormation templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-guide.html) in the *CloudFormation User Guide*.
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Template to connect Google Drive New to Amazon Q Business",
"Parameters": {
"ApplicationId": {
"Type": "String",
"Description": "Amazon Q Business Application ID"
},
"IndexId": {
"Type": "String",
"Description": "Amazon Q Business Index ID"
},
"DataSourceName": {
"Type": "String",
"Description": "Name for the Google Drive data source"
},
"RoleArn": {
"Type": "String",
"Description": "IAM Role ARN for the data source"
},
"SecretArn": {
"Type": "String",
"Description": "AWS Secrets Manager ARN containing Google Drive credentials"
}
},
"Resources": {
"GoogleDriveV3DataSource": {
"Type": "AWS::QBusiness::DataSource",
"Properties": {
"ApplicationId": {"Ref": "ApplicationId"},
"IndexId": {"Ref": "IndexId"},
"DisplayName": {"Ref": "DataSourceName"},
"RoleArn": {"Ref": "RoleArn"},
"Configuration": {
"type": "GOOGLEDRIVEV3",
"connectionConfiguration": {
"secretArn": {"Ref": "SecretArn"},
"authType": "SERVICE_ACCOUNT"
},
"dataEntityConfiguration": {
"crawlMyDrive": true,
"crawlSharedWithMe": true,
"crawlSharedDrives": false
},
"accessControlConfiguration": {
"crawlAcl": true
},
"filterConfiguration": {
"maxFileSizeInMegaBytes": "50"
},
"crawlIdentities": false,
"deletionProtectionConfiguration": {
"enableDeletionProtection": true,
"deletionProtectionThreshold": "15"
}
}
}
}
}
}
```
# Connecting Google Drive to Amazon Q Business (Original)
**Note**
This documentation covers the original version of the Google Drive connector. For new implementations, we recommend using the New Google Drive connector which offers significantly improved performance. The original connector remains available for customers requiring specific features not yet supported in new.
## Known limitations for the Amazon Q Business Google Drive connector
The Amazon Q Google Drive connector has the following known limitations:
+ To make a document available to multiple users in Amazon Q Business, you need to explicitly add each user by their email address. Only documents with specific ACLs, including folder-level ACLs, will be available to your users for query responses within Amazon Q. The **Anyone with the link** feature is not supported.
+ Custom field mapping is not available for Google Drive connector as the Google Drive UI does not support creating custom fields.
+ Google Drive API does not support retrieving comments from a permanently deleted file. Comments are retrievable, however, for trashed files. When a file is trashed, the Amazon Q connector will delete comments from the Amazon Q index.
+ Google Drive API does not return comments present in a .docx file.
# Google Drive connector overview
The following table gives an overview of the Amazon Q Business Google Drive connector and its supported features.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/googledrive-v1-overview-primary.html)
# Prerequisites for connecting Amazon Q Business to Google Drive
Before you begin, make sure that you have completed the following prerequisites.
**In Google Drive, make sure you have:**
+ **Either** been granted access by a super admin role **or** are a user with administrative privileges. You do not need a super admin role for yourself if you have been granted access by a super admin role.
+ Configured Google Drive Service Account connection credentials containing your admin account email, client email (service account email), and private key. See [Google Cloud documentation on creating and deleting service account keys](https://cloud.google.com/iam/docs/keys-create-delete).
+ Created a Google Cloud Service Account (an account with delegated authority to assume a user identity) with **Enable G Suite Domain-wide Delegation** activated for server-to-server authentication, and then generated a JSON private key using the account.
**Note**
The private key should be generated after the creation of the service account.
+ Added Admin SDK API and Google Drive API in your user account.
+ **Optional:** Configured Google Drive OAuth 2.0 connection credentials containing client ID, client secret, and refresh token as connection credentials for a specific user. You need this to crawl individual account data. See [Google documentation on using OAuth 2.0 to access APIs](https://developers.google.com/identity/protocols/oauth2).
+ Added (or asked a user with a super admin role to add) the following OAuth scopes to your service account using a super admin role. These API scopes are needed to crawl all documents, and access control (ACL) information for all users in a Google Workspace domain:
+ https://www.googleapis.com/auth/drive.readonly—View and download all your Google Drive files
+ https://www.googleapis.com/auth/drive.metadata.readonly—View metadata for files in your Google Drive
+ https://www.googleapis.com/auth/admin.directory.group.readonly—Scope for only retrieving group, group alias, and member information. This is needed for the Amazon Q Identity Crawler.
+ https://www.googleapis.com/auth/admin.directory.user.readonly—Scope for only retrieving users or user aliases. This is needed for listing users in the Amazon Q Identity Crawler and for setting ACLs.
+ https://www.googleapis.com/auth/cloud-platform—Scope for generating access token for fetching content of large Google Drive files.
+ https://www.googleapis.com/auth/forms.body.readonly—Scope for fetching data from Google Forms.
** To support the Forms API, add the following additional scope:**
+ https://www.googleapis.com/auth/forms.body.readonly
**In your AWS account, make sure you have:**
+ Created a Amazon Q Business application.
+ Created a [Amazon Q Business retriever and added an index](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/select-retriever.html).
+ Created an [IAM role](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds) for your data source and, if using the Amazon Q API, noted the ARN of the IAM role.
+ Stored your Google Drive authentication credentials in an AWS Secrets Manager secret and, if using the Amazon Q API, noted the ARN of the secret.
**Note**
If you’re a console user, you can create the IAM role and Secrets Manager secret as part of configuring your Amazon Q application on the console.
For a list of things to consider while configuring your data source, see [ Data source connector configuration best practices](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-best-practices.html).
# Connecting Amazon Q Business to Google Drive using the console
The following procedure outlines how to connect Amazon Q Business to Google Drive using the AWS Management Console.
**Connecting Amazon Q to Google Drive**
1. Sign in to the AWS Management Console and open the Amazon Q Business console.
1. From the left navigation menu, choose **Data sources**.
1. From the **Data sources** page, choose **Add data source**.
1. Then, on the **Add data sources** page, from **Data sources**, add the **Google Drive** data source to your Amazon Q application.
1. Then, on the **Google Drive** data source page, enter the following information:
1. **Name and description**, do the following:
+ For **Data source name** – Name your data source for easy tracking.
**Note**
You can include hyphens (-) but not spaces. Maximum of 1,000 alphanumeric characters.
+ **Description – *optional*** – Add an optional description for your data source. This text is viewed only by Amazon Q Business administrators and can be edited later.
1. **Authorization** – Amazon Q Business crawls ACL information by default to ensure responses are generated only from documents your end users have access to. If supported for your connector, you can manage ACLs by selecting ** Enable ACLs ** to enable ACLs or **Disable ACLs** to disable them. To manage ACLs, you need specific IAM permissions. See [Grant permission to create data sources with ACLs disabled](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/setting-up.html#DisableAclOnDataSource) for more details. See [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization) for more details.
1. For **Authentication** – Choose between **Google service account** and **OAuth 2.0 authentication**, based on your use case.
1. **AWS Secrets Manager secret** – Choose an existing secret or create a Secrets Manager secret to store your GoogleDrive authentication credentials. If you choose to create a secret, an AWS Secrets Manager secret window opens.
1. If you choose **Existing**, select an existing secret for **Select secret**.
If you choose **New**, enter the following information in the **New AWS Secrets Manager secret** section:
1. **Secret name** – A name for your secret.
1. If you chose **Google service account**, enter the following information:
+ **Secret Name** – A name for your secret.
+ **Admin account email** – The email ID of the admin user (the email used by the Service Account User) in your Google service account configuration.
+ **Client email** – The email ID of the service account.
+ **Private Key** – The private key created in your service account.
Then, choose **Save and add secret**.
1. If you chose **OAuth 2.0 authentication**, enter the details of **Secret Name**, **Client ID**, **Client secret** and **Refresh token** that you created in your service account. Then, choose **Save and add secret**.
1. **Configure VPC and security group – *optional*** – Choose whether you want to use a VPC. If you do, enter the following information:
1. **Subnets** – Select up to 6 repository subnets that define the subnets and IP ranges the repository instance uses in the selected VPC.
1. **VPC security groups** – Choose up to 10 security groups that allow access to your data source. Ensure that the security group allows incoming traffic from Amazon EC2 instances and devices outside your VPC. For databases, security group instances are required.
For more information, see [VPC](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-vpc).
1. **IAM role** – Choose an existing IAM role or create an IAM role to access your repository credentials and index content.
**Note**
Creating a new service IAM role is recommended.
For more information, see [IAM role](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/google-connector.html#google-iam).
1. In **Sync scope**, for **Sync contents** – Choose from the following options to select content to index:
**Note**
To further limit content to index, use **Entity regex patterns** in the **Additional configuration** section.
+ **My Drive & Shared with me** – **My Drive** contains a user's personal folders and documents. **Shared with me** contains all the folders and documents that have been shared with the user. Select this option to index both.
+ **Shared drives** – **Shared drives** are folders used to store, access, and share files with a team. Select this option to index these.
+ **Comments** – Select this option to index file comments.
**Note**
If you add an inclusion pattern to include certain folder paths or files, you don't need to specify an exclude pattern to include the same folder paths or files.
1. For **Maximum file size** – You can specify the file size limit in GB for Amazon Q crawling. Amazon Q crawls only files within the defined size limit. The default file size is 50MB. The maximum file size limit is 10 GB. Files must be larger than 0 MB and no larger than 10 GB. You can go up to 10 GB (10240 MB) if you enable **Video files** in **Multi-media content** configuration, and up to 2 GB (2048 MB) if you enable **Audio files** in **Multi-media content configuration**.
1. In **Additional configuration - optional**, enter the following optional information:
1. **User email** – Add the user email IDs whose drive files you want to include or exclude.
1. **Shared drives** – The folders and files shared with a team. Add the shared drives that you want to include or exclude.
1. **Mime types** – Add the MIME (Multipurpose Internet Mail Extensions) types that you want to include or exclude from your data sync.
1. **Entity patterns** – Add regular expression patterns to include or exclude certain folders, files, and file types from **My drive**, **Shared with me**, and **Shared drives**. You can add up to 100 patterns.
You can configure the Include/Exclude Regex patterns for File name, File type and File path.
+ **File name** - The name of the file to include/exclude. For example, to index a file with name ’Team roaster.txt’, provide Team roaster.
+ **File type** - The type of the file to include/exclude. For example, .pdf .txt .docx
+ **File path** - The path of the file to include/exclude. For example, to index files only inside the folder ‘Products list’ of a drive, provide /Products list.
1. **Multi-media content configuration – optional** – To enable content extraction from embedded images and visuals in documents, choose **Visual content in documents**. For more information, see [Extracting semantic meaning from embedded images and visuals](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/extracting-meaning-from-images.html).
To extract audio transcriptions and video content, enable **Audio Files**. To extract video content, enable **Video files**. For more information, see [Extracting semantic meaning from audio and video Content](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/Audio-video-extraction.html).
1. **Advanced settings**
**Document deletion safeguard** - *optional*–To safeguard your documents from deletion during a sync job, select **On** and enter an integer between 0 - 100. If the percentage of documents to be deleted in your sync job exceeds the percentage you selected, the delete phase will be skipped and no documents from this data source will be deleted from your index. For more information, see [Document deletion safeguard](connector-concepts.md#document-deletion-safeguard).
1. In **Sync mode**, choose how you want to update your index when your data source content changes. When you sync your data source with Amazon Q for the first time, all content is synced by default.
+ **Full sync** – Sync all content regardless of the previous sync status.
+ **New or modified content sync** – Sync only new and modified documents.
+ **New, modified, or deleted content sync** – Sync only new, modified, and deleted documents.
For more details, see [Sync mode](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-sync-mode).
1. In **Sync run schedule**, for **Frequency** – Choose how often Amazon Q will sync with your data source. For more details, see [Sync run schedule](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-sync-run). To learn how to start a data sync job, see [Starting data source connector sync jobs](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/supported-datasource-actions.html#start-datasource-sync-jobs).
1. **Tags - *optional*** – Add tags to search and filter your resources or track your AWS costs. See [Tags](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/tagging.html) for more details.
1. **Field mappings** – A list of data source document attributes to map to your index fields.
**Note**
Add or update the fields from the **Data source details** page after you finish adding your data source. You can choose from two types of fields:
1. **Default** – Automatically created by Amazon Q on your behalf based on common fields in your data source. You can't edit these.
1. **Custom** – Automatically created by Amazon Q on your behalf based on common fields in your data source. You can edit these. You can also create and add new custom fields.
**Note**
Support for adding custom fields varies by connector. You won't see the **Add field** option if your connector doesn't support adding custom fields.
For more information, see [Field mappings](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-field-mappings).
1. In **Data source details**, choose **Sync now** to allow Amazon Q to begin syncing (crawling and ingesting) data from your data source. When the sync job finishes, your data source is ready to use.
**Note**
View CloudWatch logs for your data source sync job by selecting **View CloudWatch logs**. If you encounter a `Resource not found exception` error, wait and try again as logs may not be available immediately.
You can also view a detailed document-level report by selecting **View Report**. This report shows the status of each document during the crawl, sync, and index stages, including any errors. If the report is empty for an in-progress job, check back later as data is emitted to the report as events occur during the sync process.
For more information, see [Troubleshooting data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/troubleshooting-data-sources.html#troubleshooting-data-sources-not-indexed).
**Note**
Documents shared to a specific company domain or with a permission set to **General access: Anyone with the link** must be accessed by at least one user before the documents become visible to users in search.
# IAM role for Amazon Q Business Google Drive connector
If you use the AWS CLI or an AWS SDK, you must create an AWS Identity and Access Management (IAM) policy before you create an Amazon Q resource. When you call the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) operation, you provide the Amazon Resource Name (ARN) role with the policy attached.
If you use the AWS Management Console, you can create a new IAM role in the Amazon Q console or use an existing IAM role.
To learn more about IAM roles, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) in the *AWS Identity and Access Management User Guide*.
To connect your data source connector to Amazon Q, you must give Amazon Q an IAM role that has the following permissions:
+ Permission to access the `BatchPutDocument` and `BatchDeleteDocument` operations to ingest documents.
+ Permission to access the [User Store](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-principal-store.html) API operations to ingest user and group access control information from documents.
+ Permission to access your AWS Secrets Manager secret to authenticate your data source connector instance.
+ **(Optional)** If you're using Amazon VPC, permission to access your Amazon VPC.
```
{
"Version": "2012-10-17", ,
"Statement": [
{
"Sid": "AllowsAmazonQToGetSecret",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Sid": "AllowsAmazonQToDecryptSecret",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Sid": "AllowsAmazonQToIngestDocuments",
"Effect": "Allow",
"Action": [
"qbusiness:BatchPutDocument",
"qbusiness:BatchDeleteDocument"
],
"Resource": [
"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}",
"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/index/{{index_id}}"
]
},
{
"Sid": "AllowsAmazonQToIngestPrincipalMapping",
"Effect": "Allow",
"Action": [
"qbusiness:PutGroup",
"qbusiness:CreateUser",
"qbusiness:DeleteGroup",
"qbusiness:UpdateUser",
"qbusiness:ListGroups"
],
"Resource": [
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}",
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}",
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}/data-source/*"
]
},
{
"Sid": "AllowsAmazonQToCreateAndDeleteNI",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
],
"Resource": [
"arn:aws:ec2:{{region}}:{{account_id}}:subnet/[[subnet_ids]]",
"arn:aws:ec2:{{region}}:{{account_id}}:security-group/[[security_group]]"
]
},
{
"Sid": "AllowsAmazonQToCreateAndDeleteNIForSpecificTag",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringLike": {
"aws:RequestTag/AMAZON_Q": "qbusiness_{{account_id}}_{{application_id}}_*"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"AMAZON_Q"
]
}
}
},
{
"Sid": "AllowsAmazonQToCreateTags",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateNetworkInterface"
}
}
},
{
"Sid": "AllowsAmazonQToCreateNetworkInterfacePermission",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringLike": {
"aws:ResourceTag/AMAZON_Q": "qbusiness_{{account_id}}_{{application_id}}_*"
}
}
},
{
"Sid": "AllowsAmazonQToDescribeResourcesForVPC",
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeVpcs",
"ec2:DescribeRegions",
"ec2:DescribeNetworkInterfacePermissions",
"ec2:DescribeSubnets"
],
"Resource": "*"
}
]
}
```
**To allow Amazon Q to assume a role, you must also use the following trust policy:**
```
{
"Version": "2012-10-17", ,
"Statement": [
{
"Sid": "AllowsAmazonQServicePrincipal",
"Effect": "Allow",
"Principal": {
"Service": "qbusiness.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{source_account}}"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}"
}
}
}
]
}
```
For more information on Amazon Q data source connector IAM roles, see [IAM roles for Amazon Q data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds).
# Understand error codes in the Amazon Q Business Google Drive connector
The following table provides information about error codes you may see for the Google Drive connector and suggested resolutions.
| Error code | Error message | Suggested resolution |
| --- | --- | --- |
| GDL-5101 | The authentication credentials in your data source configuration are invalid. | Verify your Google service account credentials or OAuth 2.0 tokens and try again. |
| GDL-5102 | The authentication type in your data source configuration is missing or invalid. | Enter valid authentication type (Google Service Account or OAuth 2.0) and try again. |
| GDL-5103 | Access denied to Google Drive API. | Ensure your service account has proper domain-wide delegation and API access enabled. |
| GDL-5104 | Rate limit exceeded for Google Drive API. | Wait and retry. Consider reducing sync frequency if the issue persists. |
| GDL-5105 | Invalid folder or file ID specified in filters. | Verify the folder or file IDs in your inclusion/exclusion filters are correct. |
# How Amazon Q Business connector crawls Google Drive ACLs
Connectors support crawling ACL and identity information where applicable based on the data source. If you index documents without ACLs, all documents are considered public. Indexing documents with ACLs ensures data security.
Amazon Q Business supports crawling ACLs for document security by default.
The Google Drive connector for Amazon Q Business crawls 2 primary content types: files and comments. It supports various file formats, including spreadsheets, presentations, images, audio/video files, and Google Docs™. Users can configure the connector to include or exclude comments.
**Roles/permissions**: The Google Drive connector translates Google Drive permissions into ACLs that are compatible with Amazon Q Business. There are four primary roles with permissions:
+ Owner - Has full control.
+ Editor - Can modify content, update metadata, and add or remove comments.
+ Commenter - Can view content and add comments.
+ Viewer - Has read-only access.
**Permission Inheritance**: The Google Drive connector is designed to detect and handle hierarchical content organization across My Drive and Shared Drives. By default, files and subfolders inherit permissions from parent folders. Comments inherit their permissions from the corresponding file. Permissions can be explicitly modified at either the file or folder level to override inherited settings. In this case, the ACLs are a union of the parent ACLs and child ACLs.
**Identity Crawling**: Individual user synchronization is supported using email addresses, and domain-wide access is supported using service account authentication. Google Drive supports nested groups, meaning that one group can be a member of another. The connector handles complex group structures by flattening group memberships and ensuring that permissions are applied correctly across all levels.
**Change Management**: ACL changes are supported in both Full Crawl and Incremental/Change Log modes
**Failure handling**: The connector implements a fail-close approach, meaning that if there are permissions-related issues or API failures, a document is skipped from ingestion rather than being made publicly accessible.
**Note**
The Google **Anyone with the link** feature is not supported by Amazon Q Business. To make a document available, you need to explicitly add users by their email address. Only documents with specific ACLs will be available to your users for query responses within Amazon Q.
For more information, see:
+ [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization)
+ [Identity crawler](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-identity-crawler)
+ [Understanding User Store](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-principal-store.html)
# Google Drive data source connector field mappings
To improve retrieved results and customize the end user chat experience, Amazon Q Business enables you to map document attributes from your data sources to fields in your Amazon Q index.
The Amazon Q Google Drive connector supports the following entities and the associated reserved and custom attributes.
## Files
| Google Drive field name | Index field name | Description | Data type |
| --- | --- | --- | --- |
| authors | \$1authors | Default | String list |
| mimeType | gd\$1file\$1mime\$1type | Custom | String |
| size | gd\$1size | Custom | Long (numeric) |
| webViewLink | \$1source\$1uri | Default | String |
| createdAt | \$1created\$1at | Default | Date |
| modifiedAt | \$1last\$1updated\$1at | Default | Date |
## Comments
| Google Drive field name | Index field name | Description | Data type |
| --- | --- | --- | --- |
| authors | \$1authors | Default | String list |
| commentType | gd\$1type | Custom | String |
| createdAt | \$1created\$1at | Default | Date |
| modifiedAt | \$1last\$1updated\$1at | Default | Date |
# Connecting Amazon Q Business to GoogleDrive using APIs
You use the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) action to connect a data source to your Amazon Q application. You can also use the [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) action to modify an existing data source configuration.
Then, you use the `configuration` parameter to provide a JSON blob that conforms the AWS-defined JSON schema.
For an example of the API request, see [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) and [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) in the Amazon Q API Reference.
**Topics**
+ [Google Drive configuration properties](#google-configuration-keys)
+ [Google Drive JSON schema](#googledrive-json)
+ [GoogleDrive JSON schema example](#s3-api-json-example)
## Google Drive configuration properties
The following provides information about important configuration properties required in the schema.
| Configuration | Description | Type | Required |
| --- | --- | --- | --- |
| connectionConfiguration | Configuration information for the data source. | `object` This property has the following sub-property: `repositoryEndpointMetadata`. | Yes |
| repositoryEndpointMetadata | The endpoint information for the data source. This data source doesn't specify an endpoint. You choose your authentication type: serviceAccount and OAuth2. The connection information is included in an AWS Secrets Manager secret that you provide the secretArn. | `object` This property has the following sub-property: `authType`. | Yes |
| authType | Choose between serviceAccount and OAuth2, based on your use case. | `string` | Yes |
| repositoryConfigurations | Configuration information for the content of the data source. For example, configuring specific types of content and field mappings. | `object` This property has the following sub-properties: `file` and `comment`. | Yes |
| [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/googledrive-api.html) | A list of objects that map the attributes or field names of your Google Drive to Amazon Q index field names. | `object` `object` These properties have the following sub-properties. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/googledrive-api.html) | No |
| `indexFieldName` | The field name of your Google Drive to Amazon Q index field names. | `string` | Yes |
| `indexFieldType` | The field type of your Google Drive to Amazon Q index field names. | `string` The allowed values are `STRING`, `STRING_LIST`, and `DATE`. | Yes |
| `dataSourceFieldName` | The data source field name of your Google Drive to Amazon Q index field names. | `string` | Yes |
| `dateFieldFormat` | The date format of your Google Drive to Amazon Q index field names. | `string` Specify the date format in the form `yyyy-MM-dd'T'HH:mm:ss'Z'` | No |
| additionalProperties | Additional configuration options for your content in your data source | `object` This property has the following sub-properties. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/googledrive-api.html) | Yes |
| isCrawlAcl | Specify true to crawl access control information by default from documents. Amazon Q Business crawls ACL information to ensure responses are generated only from documents your end users have access to. See [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization) for more details. | `boolean` | No |
| fieldForUserId | Specify field to use for UserId for ACL crawling. | `string` | No |
| maxFileSizeInMegaBytes | Specify the maximum single file size limit in MBs that Amazon Q will crawl. Amazon Q will crawl only the files within the size limit you define. The default file size is 50 MB. The maximum file size should be greater than 0MB and less than or equal to 50 MB. You can use up to 10 GB (10240 MB) if you set videoExtractionStatus to ENABLED in mediaExtractionConfiguration.videoExtractionConfiguration when using CreateDatasource or UpdateDatasource API. Otherwise, you can use up to 2 GB (2048 MB) if you set audioExtractionStatus to ENABLED in mediaExtractionConfiguration.audioExtractionConfiguration when using the CreateDatasource or UpdateDatasource API. | `string` | No |
| [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/googledrive-api.html) | true to index comments in your Google Drive data source. | `boolean` | No |
| [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/googledrive-api.html) | true to index MyDrive and Shared With Me Drives in your Google Drive data source. | `boolean` | No |
| [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/googledrive-api.html) | true to index Shared Drives in your Google Drive data source. | `boolean` | No |
| [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/googledrive-api.html) | A list of regular expression patterns to exclude specific files in your Google Drive data source. Files that match the patterns are excluded from the index. Files that don't match the patterns are included in the index. If a file matches both an exclusion and inclusion pattern, the exclusion pattern takes precedence, and the file isn't included in the index. | `array` | No |
| [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/googledrive-api.html) | A list of regular expression patterns to include specific files in your Google Drive data source. Files that match the patterns are included in the index. Files that don't match the patterns are excluded from the index. If a file matches both an inclusion and exclusion pattern, the exclusion pattern takes precedence, and the file isn't included in the index. | `array` | No |
| type | The type of data source. We recommend GOOOGLEDRIVEV2 as your data source type. | `string` Valid values are `GOOOGLEDRIVEV2` and `GOOGLEDRIVE`. | No |
| enableIdentityCrawler | true to activate identity crawler. Identity crawler is activated by default. Crawling identity information on users and groups with access to certain documents is useful for user context filtering. Search results are filtered based on the user or their group access to documents. Amazon Q Business crawls identity information from your data source by default to ensure responses are generated only from documents end users have access to. For more information, see [Identity crawler](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-identity-crawler). | `boolean` | Yes |
| syncMode | Specify whether Amazon Q should update your index by syncing all documents or only new, modified, and deleted documents. | `string` You can choose between the following options: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/googledrive-api.html) | Yes |
| secretARN | The Amazon Resource Name (ARN) of an AWS Secrets Manager secret that contains the key-value pairs required to connect to your Google Drive. | `string` The secret must contain a JSON structure with the following keys: If using Google Service Account authentication: {
"clientEmail": "user account email",
"adminAccountEmail": "service account email",
"privateKey": "private key"
} If using OAuth 2.0 authentication: {
"clientID": "OAuth client ID",
"clientSecret": "client secret",
"refreshToken": "refresh token"
} | Yes |
| version | The version of this template that's currently supported. | `string` | No |
## Google Drive JSON schema
The following is the Google Drive JSON schema:
```
{
"type": "object",
"properties": {
"type": {
"type": "string",
"enum": ["GOOGLEDRIVEV2", "GOOGLEDRIVE"]
},
"syncMode": {
"type": "string",
"enum": ["FORCED_FULL_CRAWL", "FULL_CRAWL", "CHANGE_LOG"]
},
"secretArn": {
"type": "string",
"minLength": 20,
"maxLength": 2048
},
"enableIdentityCrawler": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
},
"connectionConfiguration": {
"type": "object",
"properties": {
"repositoryEndpointMetadata": {
"type": "object",
"properties": {
"authType": {
"type": "string",
"enum": ["serviceAccount", "OAuth2"]
}
},
"required": ["authType"]
}
},
"required": ["repositoryEndpointMetadata"]
},
"repositoryConfigurations": {
"type": "object",
"properties": {
"file": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": ["STRING", "DATE", "STRING_LIST", "LONG"]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
},
"required": ["fieldMappings"]
},
"comment": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": ["STRING", "DATE", "STRING_LIST"]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
},
"required": ["fieldMappings"]
}
}
},
"additionalProperties": {
"type": "object",
"properties": {
"maxFileSizeInMegaBytes": {
"type": "string"
},
"isCrawlComment": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
},
"isCrawlMyDriveAndSharedWithMe": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
},
"isCrawlSharedDrives": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
},
"isCrawlAcl": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
},
"fieldForUserId": {
"type": "string"
},
"excludeUserAccounts": {
"type": "array",
"items": {
"type": "string"
}
},
"excludeSharedDrives": {
"type": "array",
"items": {
"type": "string"
}
},
"excludeMimeTypes": {
"type": "array",
"items": {
"type": "string"
}
},
"includeUserAccounts": {
"type": "array",
"items": {
"type": "string"
}
},
"includeSharedDrives": {
"type": "array",
"items": {
"type": "string"
}
},
"includeMimeTypes": {
"type": "array",
"items": {
"type": "string"
}
},
"includeTargetAudienceGroup": {
"type": "array",
"items": {
"type": "string"
}
},
"inclusionFileTypePatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"inclusionFileNamePatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"exclusionFileTypePatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"exclusionFileNamePatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"inclusionFilePathFilter": {
"type": "array",
"items": {
"type": "string"
}
},
"exclusionFilePathFilter": {
"type": "array",
"items": {
"type": "string"
}
},
"enableDeletionProtection": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
],
"default": false
},
"deletionProtectionThreshold": {
"type": "string",
"default": "15"
}
}
},
"version": {
"type": "string",
"anyOf": [
{
"pattern": "1.0.0"
}
]
}
},
"required": [
"type",
"syncMode",
"secretArn",
"connectionConfiguration",
"repositoryConfigurations",
"additionalProperties"
]
}
```
## GoogleDrive JSON schema example
The following is the GoogleDrive JSON schema example:
```
{
"type": "GOOGLEDRIVEV2",
"syncMode": "FULL_CRAWL",
"secretArn": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-google-drive-secret",
"enableIdentityCrawler": "true",
"connectionConfiguration": {
"repositoryEndpointMetadata": {
"authType": "OAuth2"
}
},
"repositoryConfigurations": {
"file": {
"fieldMappings": [
{
"indexFieldName": "file_id",
"indexFieldType": "STRING",
"dataSourceFieldName": "id",
"dateFieldFormat": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
]
},
"comment": {
"fieldMappings": [
{
"indexFieldName": "comment_id",
"indexFieldType": "STRING",
"dataSourceFieldName": "id",
"dateFieldFormat": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
]
}
},
"additionalProperties": {
"maxFileSizeInMegaBytes": "10240",
"isCrawlComment": "true",
"isCrawlMyDriveAndSharedWithMe": "true",
"isCrawlSharedDrives": "false",
"isCrawlAcl": "true",
"fieldForUserId": "user@example.com",
"excludeUserAccounts": ["user1@example.com", "user2@example.com"],
"excludeSharedDrives": ["SharedDrive1"],
"excludeMimeTypes": ["application/vnd.google-apps.folder"],
"includeUserAccounts": ["user3@example.com"],
"includeSharedDrives": ["SharedDrive2"],
"includeMimeTypes": [
"application/pdf",
"application/vnd.google-apps.document"
],
"includeTargetAudienceGroup": ["group1@example.com"],
"inclusionFileTypePatterns": ["*.pdf"],
"inclusionFileNamePatterns": ["*report*"],
"exclusionFileTypePatterns": ["*.tmp"],
"exclusionFileNamePatterns": ["*draft*"],
"inclusionFilePathFilter": ["documents/"],
"exclusionFilePathFilter": ["drafts/"],
"enableDeletionProtection": "true",
"deletionProtectionThreshold": "15"
}
}
```
# Connecting Amazon Q Business to Google Drive using AWS CloudFormation
You use the [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-datasource.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-datasource.html) resource to connect a data source to your Amazon Q application.
Use the [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-datasource.html#cfn-qbusiness-datasource-applicationid](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-datasource.html#cfn-qbusiness-datasource-applicationid) property to provide a JSON or YAML schema with the necessary configuration details specific to your data source connector.
To learn more about AWS CloudFormation, see [What is AWS CloudFormation?](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) in the *CloudFormation User Guide*.
**Topics**
+ [Google Drive configuration properties](#google-configuration-keys)
+ [Google Drive JSON schema for using the configuration property with AWS CloudFormation](#google-cfn-json)
+ [Google Drive YAML schema for using the configuration property with AWS CloudFormation](#google-cfn-yaml)
## Google Drive configuration properties
The following provides information about important configuration properties required in the schema.
| Configuration | Description | Type | Required |
| --- | --- | --- | --- |
| connectionConfiguration | Configuration information for the data source. | `object` This property has the following sub-property: `repositoryEndpointMetadata`. | Yes |
| repositoryEndpointMetadata | The endpoint information for the data source. This data source doesn't specify an endpoint. You choose your authentication type: serviceAccount and OAuth2. The connection information is included in an AWS Secrets Manager secret that you provide the secretArn. | `object` This property has the following sub-property: `authType`. | Yes |
| authType | Choose between serviceAccount and OAuth2, based on your use case. | `string` | Yes |
| repositoryConfigurations | Configuration information for the content of the data source. For example, configuring specific types of content and field mappings. | `object` This property has the following sub-properties: `file` and `comment`. | Yes |
| [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/google-cfn.html) | A list of objects that map the attributes or field names of your Google Drive to Amazon Q index field names. | `object` `object` These properties have the following sub-properties. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/google-cfn.html) | No |
| `indexFieldName` | The field name of your Google Drive to Amazon Q index field names. | `string` | Yes |
| `indexFieldType` | The field type of your Google Drive to Amazon Q index field names. | `string` The allowed values are `STRING`, `STRING_LIST`, and `DATE`. | Yes |
| `dataSourceFieldName` | The data source field name of your Google Drive to Amazon Q index field names. | `string` | Yes |
| `dateFieldFormat` | The date format of your Google Drive to Amazon Q index field names. | `string` Specify the date format in the form `yyyy-MM-dd'T'HH:mm:ss'Z'` | No |
| additionalProperties | Additional configuration options for your content in your data source | `object` This property has the following sub-properties. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/google-cfn.html) | Yes |
| isCrawlAcl | Specify true to crawl access control information by default from documents. Amazon Q Business crawls ACL information to ensure responses are generated only from documents your end users have access to. See [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization) for more details. | `boolean` | No |
| fieldForUserId | Specify field to use for UserId for ACL crawling. | `string` | No |
| maxFileSizeInMegaBytes | Specify the maximum single file size limit in MBs that Amazon Q will crawl. Amazon Q will crawl only the files within the size limit you define. The default file size is 50 MB. The maximum file size should be greater than 0MB and less than or equal to 50 MB. You can use up to 10 GB (10240 MB) if you set videoExtractionStatus to ENABLED in mediaExtractionConfiguration.videoExtractionConfiguration when using CreateDatasource or UpdateDatasource API. Otherwise, you can use up to 2 GB (2048 MB) if you set audioExtractionStatus to ENABLED in mediaExtractionConfiguration.audioExtractionConfiguration when using the CreateDatasource or UpdateDatasource API. | `string` | No |
| [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/google-cfn.html) | true to index comments in your Google Drive data source. | `boolean` | No |
| [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/google-cfn.html) | true to index MyDrive and Shared With Me Drives in your Google Drive data source. | `boolean` | No |
| [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/google-cfn.html) | true to index Shared Drives in your Google Drive data source. | `boolean` | No |
| [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/google-cfn.html) | A list of regular expression patterns to exclude specific files in your Google Drive data source. Files that match the patterns are excluded from the index. Files that don't match the patterns are included in the index. If a file matches both an exclusion and inclusion pattern, the exclusion pattern takes precedence, and the file isn't included in the index. | `array` | No |
| [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/google-cfn.html) | A list of regular expression patterns to include specific files in your Google Drive data source. Files that match the patterns are included in the index. Files that don't match the patterns are excluded from the index. If a file matches both an inclusion and exclusion pattern, the exclusion pattern takes precedence, and the file isn't included in the index. | `array` | No |
| type | The type of data source. We recommend GOOOGLEDRIVEV2 as your data source type. | `string` Valid values are `GOOOGLEDRIVEV2` and `GOOGLEDRIVE`. | No |
| enableIdentityCrawler | true to activate identity crawler. Identity crawler is activated by default. Crawling identity information on users and groups with access to certain documents is useful for user context filtering. Search results are filtered based on the user or their group access to documents. Amazon Q Business crawls identity information from your data source by default to ensure responses are generated only from documents end users have access to. For more information, see [Identity crawler](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-identity-crawler). | `boolean` | Yes |
| syncMode | Specify whether Amazon Q should update your index by syncing all documents or only new, modified, and deleted documents. | `string` You can choose between the following options: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/google-cfn.html) | Yes |
| secretARN | The Amazon Resource Name (ARN) of an AWS Secrets Manager secret that contains the key-value pairs required to connect to your Google Drive. | `string` The secret must contain a JSON structure with the following keys: If using Google Service Account authentication: {
"clientEmail": "user account email",
"adminAccountEmail": "service account email",
"privateKey": "private key"
} If using OAuth 2.0 authentication: {
"clientID": "OAuth client ID",
"clientSecret": "client secret",
"refreshToken": "refresh token"
} | Yes |
| version | The version of this template that's currently supported. | `string` | No |
## Google Drive JSON schema for using the configuration property with AWS CloudFormation
The following is the Google Drive JSON schema and examples for the configuration property for AWS CloudFormation.
**Topics**
+ [Google Drive JSON schema for using the configuration property with AWS CloudFormation](#google-cfn-json-schema)
+ [Google Drive JSON schema example for using the configuration property with AWS CloudFormation](#google-cfn-json-example)
### Google Drive JSON schema for using the configuration property with AWS CloudFormation
The following is the Google Drive JSON schema for the configuration property for CloudFormation
```
{
"type": "object",
"properties": {
"type": {
"type": "string",
"enum": ["GOOGLEDRIVEV2", "GOOGLEDRIVE"]
},
"syncMode": {
"type": "string",
"enum": ["FORCED_FULL_CRAWL", "FULL_CRAWL", "CHANGE_LOG"]
},
"secretArn": {
"type": "string",
"minLength": 20,
"maxLength": 2048
},
"enableIdentityCrawler": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
},
"connectionConfiguration": {
"type": "object",
"properties": {
"repositoryEndpointMetadata": {
"type": "object",
"properties": {
"authType": {
"type": "string",
"enum": ["serviceAccount", "OAuth2"]
}
},
"required": ["authType"]
}
},
"required": ["repositoryEndpointMetadata"]
},
"repositoryConfigurations": {
"type": "object",
"properties": {
"file": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": ["STRING", "DATE", "STRING_LIST", "LONG"]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
},
"required": ["fieldMappings"]
},
"comment": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": ["STRING", "DATE", "STRING_LIST"]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
},
"required": ["fieldMappings"]
}
}
},
"additionalProperties": {
"type": "object",
"properties": {
"maxFileSizeInMegaBytes": {
"type": "string"
},
"isCrawlComment": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
},
"isCrawlMyDriveAndSharedWithMe": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
},
"isCrawlSharedDrives": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
},
"isCrawlAcl": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
},
"fieldForUserId": {
"type": "string"
},
"excludeUserAccounts": {
"type": "array",
"items": {
"type": "string"
}
},
"excludeSharedDrives": {
"type": "array",
"items": {
"type": "string"
}
},
"excludeMimeTypes": {
"type": "array",
"items": {
"type": "string"
}
},
"includeUserAccounts": {
"type": "array",
"items": {
"type": "string"
}
},
"includeSharedDrives": {
"type": "array",
"items": {
"type": "string"
}
},
"includeMimeTypes": {
"type": "array",
"items": {
"type": "string"
}
},
"includeTargetAudienceGroup": {
"type": "array",
"items": {
"type": "string"
}
},
"inclusionFileTypePatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"inclusionFileNamePatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"exclusionFileTypePatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"exclusionFileNamePatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"inclusionFilePathFilter": {
"type": "array",
"items": {
"type": "string"
}
},
"exclusionFilePathFilter": {
"type": "array",
"items": {
"type": "string"
}
},
"enableDeletionProtection": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
],
"default": false
},
"deletionProtectionThreshold": {
"type": "string",
"default": "15"
}
}
},
"version": {
"type": "string",
"anyOf": [
{
"pattern": "1.0.0"
}
]
}
},
"required": [
"type",
"syncMode",
"secretArn",
"connectionConfiguration",
"repositoryConfigurations",
"additionalProperties"
]
}
```
### Google Drive JSON schema example for using the configuration property with AWS CloudFormation
The following is the Google Drive JSON schema example for the configuration property for CloudFormation
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "CloudFormation GOOGLEDRIVE Data Source Template",
"Resources": {
"DataSourceGoogleDrive": {
"Type": "AWS::QBusiness::DataSource",
"Properties": {
"ApplicationId": "app12345-1234-1234-1234-123456789012",
"IndexId": "indx1234-1234-1234-1234-123456789012",
"DisplayName": "MyGoogleDriveDataSource",
"RoleArn": "arn:aws:iam::123456789012:role/qbusiness-data-source-role",
"Configuration": {
"type": "GOOGLEDRIVEV2",
"syncMode": "FULL_CRAWL",
"secretArn": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-google-drive-secret",
"enableIdentityCrawler": "true",
"connectionConfiguration": {
"repositoryEndpointMetadata": {
"authType": "OAuth2"
}
},
"repositoryConfigurations": {
"file": {
"fieldMappings": [
{
"indexFieldName": "file_id",
"indexFieldType": "STRING",
"dataSourceFieldName": "id",
"dateFieldFormat": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
]
},
"comment": {
"fieldMappings": [
{
"indexFieldName": "comment_id",
"indexFieldType": "STRING",
"dataSourceFieldName": "id",
"dateFieldFormat": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
]
}
},
"additionalProperties": {
"maxFileSizeInMegaBytes": "50",
"isCrawlComment": "true",
"isCrawlMyDriveAndSharedWithMe": "true",
"isCrawlSharedDrives": "false",
"isCrawlAcl": "true",
"fieldForUserId": "user@example.com",
"excludeUserAccounts": ["user1@example.com", "user2@example.com"],
"excludeSharedDrives": ["SharedDrive1"],
"excludeMimeTypes": ["application/vnd.google-apps.folder"],
"includeUserAccounts": ["user3@example.com"],
"includeSharedDrives": ["SharedDrive2"],
"includeMimeTypes": [
"application/pdf",
"application/vnd.google-apps.document"
],
"includeTargetAudienceGroup": ["group1@example.com"],
"inclusionFileTypePatterns": ["*.pdf"],
"inclusionFileNamePatterns": ["*report*"],
"exclusionFileTypePatterns": ["*.tmp"],
"exclusionFileNamePatterns": ["*draft*"],
"inclusionFilePathFilter": ["documents/"],
"exclusionFilePathFilter": ["drafts/"],
"enableDeletionProtection": "true",
"deletionProtectionThreshold": "15"
}
}
}
}
}
}
```
## Google Drive YAML schema for using the configuration property with AWS CloudFormation
The following is the Google Drive YAML schema and examples for the configuration property for AWS CloudFormation:
**Topics**
+ [Google Drive YAML schema for using the configuration property with AWS CloudFormation](#google-cfn-yaml-schema)
+ [Google Drive YAML schema example for using the configuration property with AWS CloudFormation](#google-cfn-yaml-example)
### Google Drive YAML schema for using the configuration property with AWS CloudFormation
The following is the Google Drive YAML schema for the configuration property for CloudFormation.
```
type: object
properties:
type:
type: string
enum:
- GOOGLEDRIVEV2
- GOOGLEDRIVE
syncMode:
type: string
enum:
- FORCED_FULL_CRAWL
- FULL_CRAWL
- CHANGE_LOG
secretArn:
type: string
minLength: 20
maxLength: 2048
enableIdentityCrawler:
anyOf:
- type: boolean
- type: string
enum:
- true
- false
connectionConfiguration:
type: object
properties:
repositoryEndpointMetadata:
type: object
properties:
authType:
type: string
enum:
- serviceAccount
- OAuth2
required:
- authType
required:
- repositoryEndpointMetadata
repositoryConfigurations:
type: object
properties:
file:
type: object
properties:
fieldMappings:
type: array
items:
type: object
properties:
indexFieldName:
type: string
indexFieldType:
type: string
enum:
- STRING
- DATE
- STRING_LIST
- LONG
dataSourceFieldName:
type: string
dateFieldFormat:
type: string
pattern: "yyyy-MM-dd'T'HH:mm:ss'Z'"
required:
- indexFieldName
- indexFieldType
- dataSourceFieldName
required:
- fieldMappings
comment:
type: object
properties:
fieldMappings:
type: array
items:
type: object
properties:
indexFieldName:
type: string
indexFieldType:
type: string
enum:
- STRING
- DATE
- STRING_LIST
dataSourceFieldName:
type: string
dateFieldFormat:
type: string
pattern: "yyyy-MM-dd'T'HH:mm:ss'Z'"
required:
- indexFieldName
- indexFieldType
- dataSourceFieldName
required:
- fieldMappings
additionalProperties:
type: object
properties:
maxFileSizeInMegaBytes:
type: string
isCrawlComment:
anyOf:
- type: boolean
- type: string
enum:
- true
- false
isCrawlMyDriveAndSharedWithMe:
anyOf:
- type: boolean
- type: string
enum:
- true
- false
isCrawlSharedDrives:
anyOf:
- type: boolean
- type: string
enum:
- true
- false
isCrawlAcl:
anyOf:
- type: boolean
- type: string
enum:
- true
- false
fieldForUserId:
type: string
excludeUserAccounts:
type: array
items:
type: string
excludeSharedDrives:
type: array
items:
type: string
excludeMimeTypes:
type: array
items:
type: string
includeUserAccounts:
type: array
items:
type: string
includeSharedDrives:
type: array
items:
type: string
includeMimeTypes:
type: array
items:
type: string
includeTargetAudienceGroup:
type: array
items:
type: string
inclusionFileTypePatterns:
type: array
items:
type: string
inclusionFileNamePatterns:
type: array
items:
type: string
exclusionFileTypePatterns:
type: array
items:
type: string
exclusionFileNamePatterns:
type: array
items:
type: string
inclusionFilePathFilter:
type: array
items:
type: string
exclusionFilePathFilter:
type: array
items:
type: string
enableDeletionProtection:
anyOf:
- type: boolean
- type: string
enum:
- true
- false
default: false
deletionProtectionThreshold:
type: string
default: "15"
version:
type: string
anyOf:
- pattern: 1.0.0
required:
- type
- syncMode
- secretArn
- connectionConfiguration
- repositoryConfigurations
- additionalProperties
```
### Google Drive YAML schema example for using the configuration property with AWS CloudFormation
The following is the Google Drive YAML example for the Configuration property for CloudFormation:
```
AWSTemplateFormatVersion: "2010-09-09"
Description: CloudFormation GOOGLEDRIVE Data Source Template
Resources:
DataSourceGoogleDrive:
Type: AWS::QBusiness::DataSource
Properties:
ApplicationId: app12345-1234-1234-1234-123456789012
IndexId: indx1234-1234-1234-1234-123456789012
DisplayName: MyGoogleDriveDataSource
RoleArn: arn:aws:iam::123456789012:role/qbusiness-data-source-role
Configuration:
type: GOOGLEDRIVEV2
syncMode: FULL_CRAWL
secretArn: arn:aws:secretsmanager:us-west-2:123456789012:secret:my-google-drive-secret
enableIdentityCrawler: "true"
connectionConfiguration:
repositoryEndpointMetadata:
authType: OAuth2
repositoryConfigurations:
file:
fieldMappings:
- indexFieldName: file_id
indexFieldType: STRING
dataSourceFieldName: id
dateFieldFormat: yyyy-MM-dd'T'HH:mm:ss'Z'
comment:
fieldMappings:
- indexFieldName: comment_id
indexFieldType: STRING
dataSourceFieldName: id
dateFieldFormat: yyyy-MM-dd'T'HH:mm:ss'Z'
additionalProperties:
maxFileSizeInMegaBytes: "50"
isCrawlComment: "true"
isCrawlMyDriveAndSharedWithMe: "true"
isCrawlSharedDrives: "false"
isCrawlAcl: "true"
fieldForUserId: user@example.com
excludeUserAccounts:
- user1@example.com
- user2@example.com
excludeSharedDrives:
- SharedDrive1
excludeMimeTypes:
- application/vnd.google-apps.folder
includeUserAccounts:
- user3@example.com
includeSharedDrives:
- SharedDrive2
includeMimeTypes:
- application/pdf
- application/vnd.google-apps.document
includeTargetAudienceGroup:
- group1@example.com
inclusionFileTypePatterns:
- "*.pdf"
inclusionFileNamePatterns:
- "*report*"
exclusionFileTypePatterns:
- "*.tmp"
exclusionFileNamePatterns:
- "*draft*"
inclusionFilePathFilter:
- documents/
exclusionFilePathFilter:
- drafts/
enableDeletionProtection: "true"
deletionProtectionThreshold: "15"
```