# Connecting Asana to Amazon Q Business (Preview)
**Note**
The Asana connector is in preview release and is subject to change.
Asana is a tool for organizing and assigning tasks among users. You can connect a Asana instance to Amazon Q Business—using either the AWS Management Console or the [https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) API—and create an Amazon Q web experience.
**Topics**
+ [Known limitations for the Amazon Q Business Asana connector (Preview)](Asana-limitations.md)
+ [Asana connector overview (Preview)](Asana-overview.md)
+ [Prerequisites for connecting Amazon Q Business to Asana (Preview)](Asana-prereqs.md)
+ [Connecting Amazon Q Business to Asana using the console (Preview)](Asana-console.md)
+ [Connecting Amazon Q Business to Asana using APIs (Preview)](Asana-api.md)
+ [Amazon Q Business Asana data source connector field mappings (Preview)](Asana-field-mappings.md)
+ [IAM role for Amazon Q Business Asana connector (Preview)](Asana-iam-role.md)
+ [Understand error codes in the Amazon Q Business Asana connector (Preview)](Asana-error-codes.md)
**Learn more**
+ For an overview of the Amazon Q web experience creation process using IAM Identity Center, see [Configuring an application using IAM Identity Center](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-application.html).
+ For an overview of the Amazon Q web experience creation process using AWS Identity and Access Management, see [Configuring an application using IAM](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-application-iam.html).
+ For an overview of connector features, see [Data source connector concepts](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html).
+ For information about connector configuration best practices, see [Connector configuration best practices](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-best-practices.html).
# Known limitations for the Amazon Q Business Asana connector (Preview)
The Asana connector has the following known limitations:
+ Asana supports crawling on only Public Projects.
# Asana connector overview (Preview)
The following table gives an overview of the Amazon Q Business Asana connector and its supported features.
****
| Category | Feature | Support |
| --- | --- | --- |
| Security | Authentication type | Service Account and PAT |
| Authentication credentials | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/Asana-overview.html) |
| [Access Control List (ACL)](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization) crawling | No. For preview, this connector only scans public Asana projects. For more information, see [ACL crawling](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/zendesk-user-management.html). |
| [Identity crawling](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-identity-crawler) | No |
| [VPC](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-vpc) | Yes |
| Crawl features | Custom metadata | No |
| Entities | Yes. The following entities are supported: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/Asana-overview.html) Each instance of an entity is crawled as a single document. |
| [Field mappings](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-field-mappings) | Yes. For more information, see [Field mappings](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/zendesk-field-mappings.html). |
| Filters | Yes. The following filters are supported: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/Asana-overview.html) |
| [Sync mode](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-sync-mode) | Supports full and incremental sync. |
| [Crawled as a document](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/doc-types.html#connector-doc-crawl) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/Asana-overview.html) |
# Prerequisites for connecting Amazon Q Business to Asana (Preview)
Before you begin, make sure that you have completed the following prerequisites.
**In Asana, make sure you have:**
+ Generated an access token.
**In your AWS account, make sure you have:**
+ Created a Amazon Q Business application.
+ Created a [Amazon Q Business retriever and added an index](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/select-retriever.html).
+ Created an [IAM role](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds) for your data source and, if using the Amazon Q API, noted the ARN of the IAM role.
+ Stored your Asana authentication credentials in an AWS Secrets Manager secret and, if using the Amazon Q API, noted the ARN of the secret.
**Note**
If you’re a console user, you can create the IAM role and Secrets Manager secret as part of configuring your Amazon Q application on the console.
For a list of things to consider while configuring your data source, see [ Data source connector configuration best practices](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-best-practices.html).
# Connecting Amazon Q Business to Asana using the console (Preview)
The following procedure outlines how to connect Amazon Q Business to Asana using the AWS Management Console.
**Connecting Amazon Q to Asana**
1. Sign in to the AWS Management Console and open the Amazon Q Business console.
1. From the left navigation menu, choose **Data sources**.
1. From the **Data sources** page, choose **Add data source**.
1. Then, on the **Add data sources** page, from **Data sources**, add the **asana** data source to your Amazon Q application.
1. Then, on the **Asana** data source page, enter the following information:
1. **Name and description**, do the following:
+ For **Data source name** – Name your data source for easy tracking.
**Note**
You can include hyphens (-) but not spaces. Maximum of 1,000 alphanumeric characters.
+ **Description – *optional*** – Add an optional description for your data source. This text is viewed only by Amazon Q Business administrators and can be edited later.
1. In **Sync scope, Workspace ID** – Enter your workspace Id.
1. **Authorization** – Amazon Q Business crawls ACL information by default to ensure responses are generated only from documents your end users have access to. If supported for your connector, you can manage ACLs by selecting ** Enable ACLs ** to enable ACLs or **Disable ACLs** to disable them. To manage ACLs, you need specific IAM permissions. See [Grant permission to create data sources with ACLs disabled](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/setting-up.html#DisableAclOnDataSource) for more details. See [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization) for more details.
1. **Authentication** – Enter your service account token or personal access token.
1. **Configure VPC and security group – *optional*** – Choose whether you want to use a VPC. If you do, enter the following information:
1. **Subnets** – Select up to 6 repository subnets that define the subnets and IP ranges the repository instance uses in the selected VPC.
1. **VPC security groups** – Choose up to 10 security groups that allow access to your data source. Ensure that the security group allows incoming traffic from Amazon EC2 instances and devices outside your VPC. For databases, security group instances are required.
For more information, see [VPC](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-vpc).
1. **Identity crawler** – Amazon Q crawls identity information from your data source by default to ensure responses are generated only from documents end users have access to. For more information, see [Identity crawler](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-identity-crawler).
1. **IAM role** – Choose an existing IAM role or create an IAM role to access your repository credentials and index content.
**Note**
Creating a new service IAM role is recommended.
For more information, see [IAM role](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/Asana-connector.html#Asana-iam).
1. **Sync scope** –
+ In Select workspace – Select content to sync using a specific Workspace ID.
+ Select Project – Select content to sync using All or Specific Project IDs.
+ All comments – Select to include all comments.
1. **Additional configuration – optional** – Configure the following settings:
+ In Additional configuration – select from the following options
+ Project regex patterns – Choose to include or exclude specific project names using regex patterns.
+ Document deletion safeguard - optional–To safeguard your documents from deletion during a sync job, select On and enter an integer between 0 - 100. If the percentage of documents to be deleted in your sync job exceeds the percentage you selected, the delete phase will be skipped and no documents from this data source will be deleted from your index. For more information, see Document deletion safeguard.
1. In **Sync run schedule**, for **Frequency** – Choose how often Amazon Q will sync with your data source. For more details, see [Sync run schedule](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-sync-run). To learn how to start a data sync job, see [Starting data source connector sync jobs](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/supported-datasource-actions.html#start-datasource-sync-jobs).
1. **Tags - *optional*** – Add tags to search and filter your resources or track your AWS costs. See [Tags](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/tagging.html) for more details.
1. **Field mappings** – A list of data source document attributes to map to your index fields.
**Note**
Add or update the fields from the **Data source details** page after you finish adding your data source. You can choose from two types of fields:
1. **Default** – Automatically created by Amazon Q on your behalf based on common fields in your data source. You can't edit these.
1. **Custom** – Automatically created by Amazon Q on your behalf based on common fields in your data source. You can edit these. You can also create and add new custom fields.
**Note**
Support for adding custom fields varies by connector. You won't see the **Add field** option if your connector doesn't support adding custom fields.
For more information, see [Field mappings](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-field-mappings).
1. In **Data source details**, choose **Sync now** to allow Amazon Q to begin syncing (crawling and ingesting) data from your data source. When the sync job finishes, your data source is ready to use.
**Note**
View CloudWatch logs for your data source sync job by selecting **View CloudWatch logs**. If you encounter a `Resource not found exception` error, wait and try again as logs may not be available immediately.
You can also view a detailed document-level report by selecting **View Report**. This report shows the status of each document during the crawl, sync, and index stages, including any errors. If the report is empty for an in-progress job, check back later as data is emitted to the report as events occur during the sync process.
For more information, see [Troubleshooting data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/troubleshooting-data-sources.html#troubleshooting-data-sources-not-indexed).
# Connecting Amazon Q Business to Asana using APIs (Preview)
You use the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) action to connect a data source to your Amazon Q application. You can also use the [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) action to modify an existing data source configuration.
Then, you use the `configuration` parameter to provide a JSON blob that conforms the AWS-defined JSON schema.
For an example of the API request, see [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) and [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) in the Amazon Q API Reference.
## JSON schema
The following is the Asana JSON schema:
```
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"connectionConfiguration": {
"type": "object",
"properties": {
"repositoryEndpointMetadata": {
"type": "object",
"properties": {
"authType": {
"type": "string",
"enum": [
"PAT",
"ServiceAccount"
]
}
},
"required": [
"authType"
]
}
},
"required": [
"repositoryEndpointMetadata"
]
},
"repositoryConfigurations": {
"type": "object",
"properties": {
"project": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": [
"STRING",
"DATE",
"STRING_LIST",
"LONG"
]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
}
},
"task": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": [
"STRING",
"DATE",
"STRING_LIST",
"LONG"
]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
}
},
"comment": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": [
"STRING",
"DATE",
"STRING_LIST",
"LONG"
]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
}
}
}
},
"additionalProperties": {
"type": "object",
"properties": {
"workspaceIds": {
"type": "array",
"items": {
"type": "string"
},
"minItems": 1,
"maxItems": 1
},
"projectIds": {
"type": "array",
"items": {
"type": "string",
"minLength": 12,
"maxLength": 16
},
"maxItems": 20
},
"fieldForUserId": {
"type": "string"
},
"isCrawlAcl": {
"type": "boolean"
},
"isCrawlComments": {
"type": "boolean"
},
"inclusionProjectNamePatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"exclusionProjectNamePatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"enableDeletionProtection": {
"type": "boolean",
"default": false
},
"deletionProtectionThreshold": {
"type": "string",
"default": "15"
}
}
},
"enableIdentityCrawler": {
"type": "boolean"
},
"syncMode": {
"type": "string",
"enum": [
"FULL_CRAWL",
"FORCED_FULL_CRAWL"
]
},
"secretArn": {
"type": "string",
"minLength": 20,
"maxLength": 2048
},
"type": {
"type": "string",
"pattern": "ASANA"
},
"version": {
"type": "string",
"anyOf": [
{
"pattern": "1.0.0"
}
]
}
},
"required": [
"connectionConfiguration",
"repositoryConfigurations",
"syncMode",
"additionalProperties",
"secretArn",
"type"
]
}
```
The following table provides information about important JSON keys to configure.
| Configuration | Description |
| --- | --- |
| connectionConfiguration | Configuration information for the endpoint of the data source. |
| repositoryEndpointMetadata | The endpoint information for the data source. |
| repositoryConfigurations | Configuration information for the content of the data source. For example, configuring specific types of content and field mappings. |
| [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/Asana-api.html) | A list of Asana objects and their metadata attributes that Amazon Q crawls and maps to Amazon Q index field names. The Asana data source field names must exist in your Asana custom metadata. |
| secretARN | The Amazon Resource Name (ARN) of an AWS Secrets Manager secret that contains the key-value pairs required to connect to your Asana. |
| additionalProperties [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/Asana-api.html) | Additional configuration options for your content in your data source. |
| fieldForUserId | Specify field to use for UserId for ACL crawling. |
| inclusionProjectNamePatterns | A list of regular expression patterns to include specific projects in your Asana data source. projects that match the patterns are included in the index. Projects that don't match the patterns are excluded from the index. If a project matches both an inclusion and exclusion pattern, the exclusion pattern takes precedence, and the file isn't included in the index. |
| exclusionProjectNamePatterns | A list of regular expression patterns to exclude specific projects in your Asana data source. Projects that match the patterns are excluded from the index. Projects that don't match the patterns are included in the index. If a project matches both an exclusion and inclusion pattern, the exclusion pattern takes precedence, and the file isn't included in the index. |
| isCrawlComments | Input true to index these types of content. |
| isCrawlACL | Input must be False as Asana does not support document crawling with ACL. |
| type | Specify ASANA as your data source type. |
| syncMode | Specify whether Amazon Q should update your index by syncing all documents or only new, modified, and deleted documents. You can choose between the following options: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/Asana-api.html) |
| enableIdentityCrawler | This will always be false as Asana does not support Identity Crawling. Identity crawler is activated by default. Crawling identity information on users and groups with access to certain documents is useful for user context filtering. Search results are filtered based on the user or their group access to documents. Amazon Q Business crawls identity information from your data source by default to ensure responses are generated only from documents end users have access to. For more information, see [Identity crawler](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-identity-crawler). |
| version | The version of the template that's currently supported. |
# Amazon Q Business Asana data source connector field mappings (Preview)
To improve retrieved results and customize the end user chat experience, Amazon Q Business enables you to map document attributes from your data sources to fields in your Amazon Q index.
Amazon Q offers two kinds of attributes to map to index fields:
+ **Reserved or default** – Reserved attributes are based on document attributes that commonly occur in most data. You can use reserved attributes to map commonly occurring document attributes in your data source to Amazon Q index fields.
+ **Custom** – You can create custom attributes to map document attributes that are unique to your data to Amazon Q index fields.
When you connect Amazon Q to a data source, Amazon Q automatically maps specific data source document attributes to fields within an Amazon Q index. If a document attribute in your data source doesn't have a attribute mapping already available, or if you want to map additional document attributes to index fields, use the custom field mappings to specify how a data source attribute maps to an Amazon Q index field. You create field mappings by editing your data source after your application environment and retriever are created.
To learn more about document attributes and how they work in Amazon Q, see [Document attributes and types in Amazon Q](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/doc-attributes-types.html).
**Important**
Filtering using document attributes in chat is only supported through the API.
The Amazon Q Asana connector supports the following entities and the associated reserved and custom attributes.
**Topics**
+ [Projects](#Asana-field-mappings-projects)
+ [Tasks](#Asana-field-mappings-tasks)
+ [Comments](#Asana-field-mappings-comments)
## Projects
Amazon Q supports crawling Asana Projects and offers the following project field mappings.
| Asana field name | Index field name | Description | Data type |
| --- | --- | --- | --- |
| projectPermaLink | \$1source\$1uri | Default | String |
| projectCreatedDate | \$1created\$1at | Default | Date |
| projectModifiedDate | \$1last\$1updated\$1at | Default | Date |
| catagory | \$1catagory | Default | String |
| isArchived | asana\$1archived | Custom | Custom |
| dueOn | asana\$1dueOn | Custom | Date |
| startOn | asana\$1startOn | Custom | String |
| isPublicProject | asana\$1isPublicProject | Custom | String |
| ownerId | asana\$1ownerId | Custom | String |
| ownerName | asana\$1ownerName | Custom | String |
| teamId | asana\$1teamId | Custom | String list |
| teamName | asana\$1teamName | Custom | String list |
| workspaceId | asana\$1workspaceId | Custom | String |
| workspaceName | asana\$1workspaceName | Custom | String |
| isOrganization | asana\$1isOrganization | Custom | String |
## Tasks
Amazon Q supports crawling Asana Tasks and offers the following project field mappings.
| Asana field name | Index field name | Description | Data type |
| --- | --- | --- | --- |
| taskPermaLink | \$1source\$1uri | Default | String |
| taskCreatedDate | \$1created\$1at | Default | Date |
| taskModifiedDate | \$1last\$1update\$1at | Default | Date |
| category | \$1category | Default | String |
| assigneeId | asana\$1assigneeId | Custom | String |
| assigneeName | asana\$1assigneeName | Custom | String |
| isCompleted | asana\$1isCompleted | Custom | String |
| dueOn | asana\$1dueOn | Custom | String |
| isSubtask | asana\$1isSubtask | Custom | String |
| topLevelTaskId | asana\$1topLevelTaskId | Custom | String |
| topLevelTaskName | asana\$1topLevelTaskName | Custom | String |
| section Id | asana\$1sectionId | Custom | String |
| sectionName | asana\$1sectionName | Custom | String |
| projectId | asana\$1projectId | Custom | String |
| projectName | asana\$1projectName | Custom | String |
| workspaceId | asana\$1workspaceId | Custom | String |
| workspaceName | asana\$1workspaceName | Custom | String |
| isOrganization | asana\$1isOrganization | Custom | String |
## Comments
Amazon Q supports crawling Asana Comments and offers the following project field mappings.
| Asana field name | Index field name | Description | Data type |
| --- | --- | --- | --- |
| commentPermaLink | \$1source\$1uri | Default | String |
| category | \$1category | Default | String |
| taskId | asana\$1taskId | Custom | String |
| taskName | asana\$1taskName | Custom | String |
| teamId | asana\$1teamId | Custom | String |
| teamName | asana\$1teamName | Custom | String |
| sectionId | asana\$1sectionId | Custom | String |
| sectionName | asana\$1sectionName | Custom | String |
| projectId | asana\$1projectId | Custom | String |
| projectName | asana\$1projectName | Custom | String |
| workspaceId | asana\$1workspaceId | Custom | String |
| workspaceName | asana\$1workspaceName | Custom | String |
| isOrganization | asana\$1isOrganization | Custom | String |
# IAM role for Amazon Q Business Asana connector (Preview)
If you use the AWS CLI or an AWS SDK, you must create an AWS Identity and Access Management (IAM) policy before you create an Amazon Q resource. When you call the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) operation, you provide the Amazon Resource Name (ARN) role with the policy attached.
If you use the AWS Management Console, you can create a new IAM role in the Amazon Q console or use an existing IAM role.
To learn more about IAM roles, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) in the *AWS Identity and Access Management User Guide*.
To connect your data source connector to Amazon Q, you must give Amazon Q an IAM role that has the following permissions:
+ Permission to access the `BatchPutDocument` and `BatchDeleteDocument` operations to ingest documents.
+ Permission to access the [User Store](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-principal-store.html) API operations to ingest user and group access control information from documents.
+ Permission to access your AWS Secrets Manager secret to authenticate your data source connector instance.
+ **(Optional)** If you're using Amazon VPC, permission to access your Amazon VPC.
```
{
"Version": "2012-10-17", ,
"Statement": [
{
"Sid": "AllowsAmazonQToGetSecret",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Sid": "AllowsAmazonQToDecryptSecret",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Sid": "AllowsAmazonQToIngestDocuments",
"Effect": "Allow",
"Action": [
"qbusiness:BatchPutDocument",
"qbusiness:BatchDeleteDocument"
],
"Resource": [
"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}",
"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/index/{{index_id}}"
]
},
{
"Sid": "AllowsAmazonQToIngestPrincipalMapping",
"Effect": "Allow",
"Action": [
"qbusiness:PutGroup",
"qbusiness:CreateUser",
"qbusiness:DeleteGroup",
"qbusiness:UpdateUser",
"qbusiness:ListGroups"
],
"Resource": [
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}",
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}",
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}/data-source/*"
]
},
{
"Sid": "AllowsAmazonQToCreateAndDeleteNI",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
],
"Resource": [
"arn:aws:ec2:{{region}}:{{account_id}}:subnet/[[subnet_ids]]",
"arn:aws:ec2:{{region}}:{{account_id}}:security-group/[[security_group]]"
]
},
{
"Sid": "AllowsAmazonQToCreateAndDeleteNIForSpecificTag",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringLike": {
"aws:RequestTag/AMAZON_Q": "qbusiness_{{account_id}}_{{application_id}}_*"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"AMAZON_Q"
]
}
}
},
{
"Sid": "AllowsAmazonQToCreateTags",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateNetworkInterface"
}
}
},
{
"Sid": "AllowsAmazonQToCreateNetworkInterfacePermission",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringLike": {
"aws:ResourceTag/AMAZON_Q": "qbusiness_{{account_id}}_{{application_id}}_*"
}
}
},
{
"Sid": "AllowsAmazonQToDescribeResourcesForVPC",
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeVpcs",
"ec2:DescribeRegions",
"ec2:DescribeNetworkInterfacePermissions",
"ec2:DescribeSubnets"
],
"Resource": "*"
}
]
}
```
**To allow Amazon Q to assume a role, you must also use the following trust policy:**
```
{
"Version": "2012-10-17", ,
"Statement": [
{
"Sid": "AllowsAmazonQServicePrincipal",
"Effect": "Allow",
"Principal": {
"Service": "qbusiness.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{source_account}}"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}"
}
}
}
]
}
```
For more information on Amazon Q data source connector IAM roles, see [IAM roles for Amazon Q data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds).
# Understand error codes in the Amazon Q Business Asana connector (Preview)
The following table provides information about error codes you may see for the Asana connector and suggested resolutions.
| Error code | Error message | Suggested resolution |
| --- | --- | --- |
| ASN-5101 | The token in your data source configuration is missing. | Enter valid token (specific to PAT or ServiceAccount) and try again. |
| ASN-5102 | The auth type in your data source configuration is invalid. | Enter valid auth type (PAT or ServiceAccount) and try again. |
| ASN-5103 | The auth type in your data source configuration is missing. | Enter valid auth type (PAT or ServiceAccount) and try again. |
| ASN-5104 | The crawl type in your data source configuration is missing. | Enter valid crawlType (ex. FULL\$1CRAWL) and try again. |
| ASN-5105 | Only String, String List, Date and Long formats are supported for the indexFieldType in all the field mappings. | Please provide the supported format only for the indexFieldType in all the fieldMappings. |
| ASN-5106 | There was an error parsing the field value. The size has exceeded the maximum allowable limit. | The maximum size permitted is 1000 for the field \$1field name\$1. Ex – field name can be token, workspaceId, projectId |
| ASN-5107 | The connection configuration in your data source configuration is missing. | Enter valid connection configuration details and try again. |
| ASN-5108 | The repository credentials in your data source configuration is missing. | Enter valid repository credentials details and try again. |
| ASN-5109 | The repository endpoint metadata in your data source configuration is missing. | Enter valid repository endpoint metadata details and try again. |
| ASN-5110 | The additional properties in your data source configuration is missing.Error message | Enter valid additional properties and try again. |
| ASN-5111 | Invalid Workspace Id. | Provide numeric value for workspace Id. |
| ASN-5112 | Invalid Project Id. | Provide numeric value for Project Id. |
| ASN-5113 | The workspaceIds field has exceeded the limit. Allowed entries are limited to 1. | Correct the number of entries and try again. |
| ASN-5114 | The projectIds field has exceeded the limit. Maximum allowed entries are 20. | Correct the number of entries and try again. |
| ASN-5115 | The regex pattern provided in \$1pattern field\$1 Patterns is invalid. | Provide valid regex pattern. |
| ASN-5116 | The workspace Id in your data source configuration is missing. | Enter a single workspace Id and try again. |
| ASN-5200 | IO Exception occurred while reading contents from Asana. | Rerun the connector once again, if the issue persists contact support. |
| ASN-5201 | Unknown exception occurred. | Rerun the connector once again, if the issue persists contact support. |
| ASN-5202 | The user details are not found. | Verify the user data using the user API curl command or in postman for the given authentication type. |
| ASN-5204 | Could not find Project(s) using the filter provided in the Asana configuration. Either Workspace(s) or Project(s) access is forbidden. | Check the Workspace and Project(s) access and provide valid inclusion and exclusion project name filter inputs. |
| ASN-5500 | Asana connection successful. | This is to convey the connection to Asana data source is successful. |