Actions, resources, and condition keys for Amazon Q Business Q Apps
Amazon Q Business Q Apps (service prefix: qapps) provides the following
service-specific operations, resources, actions, and condition keys for use in IAM permission
policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
-
View the programmatic service authorization reference
for this service.
Topics
API operations defined by Amazon Q Business Q Apps
The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.
| Operation | IAM action | Condition key | Possible value(s) | Access level |
|---|---|---|---|---|
|
BatchCreateCategory |
Write |
|||
|
BatchDeleteCategory |
Write |
|||
|
BatchUpdateCategory |
Write |
|||
|
CreateLibraryItem |
Write |
|||
|
CreatePresignedUrl |
Write |
|||
|
CreateQApp |
Write |
|||
|
DeleteLibraryItem |
Write |
|||
|
DeleteQApp |
Write |
|||
|
DescribeQAppPermissions |
Read |
|||
|
DisassociateQAppFromUser |
Write |
|||
|
GetLibraryItem |
Read |
|||
|
GetQApp |
Read |
|||
|
GetQAppSession |
Read |
|||
|
GetQAppSessionMetadata |
Read |
|||
|
ImportDocument |
Write |
|||
|
ListCategories |
List |
|||
|
ListLibraryItems |
List |
|||
|
ListQAppSessionData |
Read |
|||
|
ListQApps |
List |
|||
|
ListTagsForResource |
Read |
|||
|
StartQAppSession |
Write |
|||
|
StopQAppSession |
Write |
|||
|
TagResource |
Tagging, Write |
|||
|
UntagResource |
Tagging, Write |
|||
|
UpdateLibraryItem |
Write |
|||
|
UpdateLibraryItemMetadata |
Write |
|||
|
UpdateQApp |
Write |
|||
|
UpdateQAppPermissions |
Write |
|||
|
UpdateQAppSession |
Write |
|||
|
UpdateQAppSessionMetadata |
Write |
Actions defined by Amazon Q Business Q Apps
You can specify the following actions in the Action element of an IAM
policy statement. Use policies to grant permissions to perform an operation in AWS. When
you use an action in a policy, you usually allow or deny access to the API operation or CLI
command with the same name. However, in some cases, a single action controls access to more
than one operation. Alternatively, some operations require several different actions.
| Actions | Description | Resource types (*required) | Condition keys | Access level |
|---|---|---|---|---|
Grants permission to associate a library item review in the Q Business application environment |
Write |
|||
Grants permission to associate Q App with a user in the Q Business application environment |
Write |
|||
Grants permission to create the categories of a library in the Q Business application environment |
Write |
|||
Grants permission to delete the categories of a library in the Q Business application environment |
Write |
|||
Grants permission to update the categories of a library in the Q Business application environment |
Write |
|||
Grants permission to create a library item in the Q Business application environment |
Write |
|||
Grants permission to create Q App in the Q Business application environment |
Write |
|||
Grants permission to delete a library item in the Q Business application environment |
Write |
|||
Grants permission to delete Q App in the Q Business application environment |
Write |
|||
Grants permission to get Q App sharing permissions in the Q Business application environment |
Read |
|||
Grants permission to disassociate a library item review in the Q Business application environment |
Write |
|||
Grants permission to disassociate Q App with a user in the Q Business application environment |
Write |
|||
Grants permission to export Q App session data in the Q Business application environment |
Write |
|||
Grants permission to get a library item in the Q Business application environment |
Read |
|||
Grants permission to get Q App in the Q Business application environment |
Read |
|||
Grants permission to get Q App session in the Q Business application environment |
Read |
|||
Grants permission to get Q App session metadata in the Q Business application environment |
Read |
|||
Grants permission to import a document to Q App or Q App Session in the Q Business application environment |
Write |
|||
Grants permission to list categories in the Q Business application environment |
List |
|||
Grants permission to list library items in the Q Business application environment |
List |
|||
Grants permission to get Q App session data in the Q Business application environment |
Read |
|||
Grants permission to list Q Apps in the Q Business application environment |
List |
|||
Grants permission to list tags for a resource |
Read |
|||
Grants permission to predict Q App from conversation log or problem statement in the Q Business application environment |
Write |
|||
Grants permission to start Q App session in the Q Business application environment |
Write |
|||
Grants permission to stop Q App session in the Q Business application environment |
Write |
|||
Grants permission to tag a resource with given key value pairs |
Tagging, Write |
|||
Grants permission to remove the tag with the given key from a resource |
Tagging, Write |
|||
Grants permission to update a library item in the Q Business application environment |
Write |
|||
Grants permission to update the metadata of a library item in the Q Business application environment |
Write |
|||
Grants permission to update Q App in the Q Business application environment |
Write |
|||
Grants permission to update Q App sharing permissions in the Q Business application environment |
Write |
|||
Grants permission to update Q App session in the Q Business application environment |
Write |
|||
Grants permission to update Q App session metadata in the Q Business application environment |
Write |
Permission-only actions for Amazon Q Business Q Apps
The following actions are defined by Amazon Q Business Q Apps but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.
| Actions | Description | Resource types (*required) | Condition keys | Access level |
|---|---|---|---|---|
Grants permission to copy Q App in the Q Business application environment |
Write |
|||
Grants permission to create a library item review in the Q Business application environment |
Write |
|||
Grants permission to subscribe to a Q App event bus topic in the Q Business application environment |
Write |
|||
Grants permission to predict problem statement from conversation log in the Q Business application environment |
Write |
|||
Grants permission to predict Q App metadata from problem statement in the Q Business application environment |
Write |
Resource types defined by Amazon Q Business Q Apps
The following resource types are defined by this service and can be used in the
Resource element of IAM permission policy statements.
| Resource types | ARN | Condition keys |
|---|---|---|
arn:${Partition}:qbusiness:${Region}:${Account}:application/${ApplicationId} |
||
arn:${Partition}:qapps:${Region}:${Account}:application/${ApplicationId}/qapp/${AppId} |
||
arn:${Partition}:qapps:${Region}:${Account}:application/${ApplicationId}/qapp/${AppId}/session/${SessionId} |
Condition keys for Amazon Q Business Q Apps
Amazon Q Business Q Apps defines the following condition keys that can be used in the
Condition element of an IAM policy.
| Condition keys | Description | Type |
|---|---|---|
Filters access by the tags that are passed in the request |
String |
|
Filters access by the tags associated with the resource |
String |
|
Filters access by the tag keys that are passed in the request |
ArrayOfString |
|
Filters access by whether Q App is published |
String |
|
Filters access by whether Q App Session is shared |
String |
|
Filters access by whether requester is Q App owner |
String |
|
Filters access by whether requester is Q App Session moderator |
String |