# Connecting Gmail to Amazon Q Business
With Amazon Q Business, you can connect your Gmail enterprise email system to unlock valuable organizational knowledge stored in email communications. When you connect Gmail to Amazon Q Business, your users can search and get answers from email content and conversations directly through the Amazon Q web experience.
You can connect your Gmail instance to Amazon Q Business using either the AWS Management Console or the [https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) API. This connection enables your organization to leverage email-based knowledge for improved decision-making and faster information discovery.
**Topics**
+ [Gmail connector versions](gmail-versions.md)
+ [Gmail connector overview](gmail-overview.md)
+ [Prerequisites for connecting Amazon Q Business to Gmail](gmail-prereqs.md)
+ [Connecting Amazon Q Business to Gmail using the latest connector (Console)](gmail-console-new.md)
+ [Connecting Amazon Q Business to Gmail using the legacy connector (Console)](gmail-console-original.md)
+ [Connecting Amazon Q Business to Gmail using the new connector (API)](gmail-new-api.md)
+ [Connecting Amazon Q Business to Gmail using the original connector (API)](gmail-original-api.md)
+ [How Amazon Q Business connector crawls Gmail ACLs](gmail-user-management.md)
+ [Gmail data source connector field mappings](gmail-field-mappings.md)
+ [IAM role for Amazon Q Business Gmail connector](gmail-iam-role.md)
+ [Understand error codes in the Amazon Q Business Gmail connector](gmail-error-codes.md)
**Learn more**
+ For an overview of the Amazon Q web experience creation process using IAM Identity Center, see [Configuring an application using IAM Identity Center](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-application.html).
+ For an overview of the Amazon Q web experience creation process using AWS Identity and Access Management, see [Configuring an application using IAM](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-application-iam.html).
+ For an overview of connector features, see [Data source connector concepts](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html).
+ For information about connector configuration best practices, see [Connector configuration best practices](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-best-practices.html).
# Gmail connector versions
Gmail offers two connector versions to meet different configuration needs:
## Latest Gmail connector (Recommended)
**Note**
The latest connector provides improved accuracy. We recommend using the latest connector for new implementations. The legacy connector remains available for customers requiring specific features not yet supported in the latest connector.
The latest Gmail connector provides a simplified configuration experience with essential features:
+ Configurable crawling of Email and Draft Email content
+ Simplified filtering with only Date Range options
+ Enhanced UI with improved validation and tips
+ Automatic crawling of ACL and identity information
## Legacy Gmail connector
The original Gmail connector provides full-featured configuration with advanced options:
+ Complete entity type selection including Message attachments
+ Advanced filtering options including domains, keywords, and labels
+ Custom field mappings for metadata extraction
+ Configurable sync modes and VPC settings
+ Regex pattern matching for complex attachment filtering
+ Manual ACL and identity crawling configuration
# Gmail connector overview
The following table gives an overview of the Gmail connector and its supported features.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/gmail-overview.html)
# Prerequisites for connecting Amazon Q Business to Gmail
Before you connect Amazon Q Business to Gmail, you need to set up authentication and permissions in your Google Workspace environment. This setup ensures Amazon Q Business can securely access your email data while respecting your organization's access controls.
# Setting up Google Workspace authentication
Complete these steps in your Google Workspace environment to prepare for the Amazon Q Business connection:
**To set up Google Workspace authentication**
1. Verify you have Google Workspace (not personal Gmail accounts).
1. Create a Google Cloud Platform admin account and Google Cloud project if you don't already have them.
1. Enable the Gmail API and Admin SDK API in your Google Cloud project:
1. Go to the Google Cloud Console API Library.
1. Search for and enable the Gmail API.
1. Search for and enable the Admin SDK API.
1. Create a service account and download the JSON private key. For detailed instructions, see [Create a service account key](https://cloud.google.com/iam/docs/keys-create-delete#creating) and [Service account credentials](https://cloud.google.com/iam/docs/service-account-creds#key-types) in the Google Cloud documentation.
1. Configure OAuth scopes for your service account. Add these required scopes:
+ `https://www.googleapis.com/auth/admin.directory.user.readonly`
+ `https://www.googleapis.com/auth/admin.directory.group.readonly`
+ `https://www.googleapis.com/auth/gmail.readonly`
1. Save the following information for use in Amazon Q Business:
+ Admin account email address
+ Service account email address
+ Private key from the JSON file
**In your AWS account, make sure you have:**
+ Created a Amazon Q Business application.
+ Created a [Amazon Q Business retriever and added an index](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/select-retriever.html).
+ Created an [IAM role](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds) for your data source and, if using the Amazon Q API, noted the ARN of the IAM role.
+ Stored your Gmail authentication credentials in an AWS Secrets Manager secret and, if using the Amazon Q API, noted the ARN of the secret.
**Note**
If you’re a console user, you can create the IAM role and Secrets Manager secret as part of configuring your Amazon Q application on the console.
For a list of things to consider while configuring your data source, see [ Data source connector configuration best practices](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-best-practices.html).
# Connecting Amazon Q Business to Gmail using the latest connector (Console)
The following procedure outlines how to connect Amazon Q Business to Gmail using the latest connector and the AWS Management Console. The latest connector provides a simplified configuration experience with automatic ACL and identity crawling.
**Connecting Amazon Q to Gmail using the latest connector**
1. Sign in to the AWS Management Console and open the Amazon Q Business console.
1. From the left navigation menu, choose **Data sources**.
1. From the **Data sources** page, choose **Add data source**.
1. Then, on the **Add data sources** page, from **Data sources**, add the **Gmail** data source to your Amazon Q application.
1. Then, on the **Gmail** data source page, enter the following information:
1. **Name and description**, do the following:
+ For **Data source name** – Name your data source for easy tracking.
**Note**
You can include hyphens (-) but not spaces. Maximum of 1,000 alphanumeric characters.
+ **Description – *optional*** – Add an optional description for your data source. This text is viewed only by Amazon Q Business administrators and can be edited later.
1. In **Authentication**, for **AWS Secrets Manager secret** – Choose an existing secret or create a Secrets Manager secret to store your Gmail authentication credentials. If you choose to create a secret, an AWS Secrets Manager secret window opens.
1. Enter the following information in the **Create an AWS Secrets Manager secret window**:
1. **Secret Name** – A name for your secret.
1. **Client email** – The client email address that you copied from your Google service account. For example, it might look like this:
```
"{"clientEmailId":"service-account@123.iam.gserviceaccount.com","adminAccountEmailId":"admin@accounthost.com",
"privateKey":"-----BEGIN PRIVATE KEY-----PRIVATE KEY HERE-----END PRIVATE KEY-----\n"}"
```
1. **Admin account email** – The admin account email address that you would like to use.
1. **Private key** – The private key that you copied from your Google service account.
1. Choose **Save**.
1. For **Additional configuration – *optional***, configure the date range filter:
1. **Date range** – Configure the time period for crawling email messages. Choose from:
+ *Date range*: Specify start and end dates. **(optional)** - if not provided, the entire inbox is crawled.
+ *Start date onwards*: Specify only a start date to crawl from that date forward
**Note**
**Simplified configuration:** The latest connector automatically crawls email content and allows configurable draft email crawling. Only date range filtering is available to keep the configuration simple and reliable.
1. In **Sync run schedule**, for **Frequency** – Choose how often Amazon Q will sync with your data source. For more details, see [Sync run schedule](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-sync-run). To learn how to start a data sync job, see [Starting data source connector sync jobs](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/supported-datasource-actions.html#start-datasource-sync-jobs).
1. **Tags - *optional*** – Add tags to search and filter your resources or track your AWS costs. See [Tags](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/tagging.html) for more details.
1. In **Data source details**, choose **Sync now** to allow Amazon Q to begin syncing (crawling and ingesting) data from your data source. When the sync job finishes, your data source is ready to use.
**Note**
View CloudWatch logs for your data source sync job by selecting **View CloudWatch logs**. If you encounter a `Resource not found exception` error, wait and try again as logs may not be available immediately.
You can also view a detailed document-level report by selecting **View Report**. This report shows the status of each document during the crawl, sync, and index stages, including any errors. If the report is empty for an in-progress job, check back later as data is emitted to the report as events occur during the sync process.
For more information, see [Troubleshooting data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/troubleshooting-data-sources.html#troubleshooting-data-sources-not-indexed).
# Connecting Amazon Q Business to Gmail using the legacy connector (Console)
The following procedure outlines how to connect Amazon Q Business to Gmail using the legacy connector and the AWS Management Console. The legacy connector provides full-featured configuration with advanced options.
**Connecting Amazon Q to Gmail using the legacy connector**
1. Sign in to the AWS Management Console and open the Amazon Q Business console.
1. From the left navigation menu, choose **Data sources**.
1. From the **Data sources** page, choose **Add data source**.
1. Then, on the **Add data sources** page, from **Data sources**, add the **Gmail** data source to your Amazon Q application.
1. Then, on the **Gmail** data source page, enter the following information:
1. **Name and description**, do the following:
+ For **Data source name** – Name your data source for easy tracking.
**Note**
You can include hyphens (-) but not spaces. Maximum of 1,000 alphanumeric characters.
+ **Description – *optional*** – Add an optional description for your data source. This text is viewed only by Amazon Q Business administrators and can be edited later.
1. **Authorization** – Amazon Q Business crawls ACL information by default to ensure responses are generated only from documents your end users have access to. If supported for your connector, you can manage ACLs by selecting ** Enable ACLs ** to enable ACLs or **Disable ACLs** to disable them. To manage ACLs, you need specific IAM permissions. See [Grant permission to create data sources with ACLs disabled](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/setting-up.html#DisableAclOnDataSource) for more details. See [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization) for more details.
1. In **Authentication**, for **AWS Secrets Manager secret** – Choose an existing secret or create a Secrets Manager secret to store your Gmail authentication credentials. If you choose to create a secret, an AWS Secrets Manager secret window opens.
1. Enter the following information in the **Create an AWS Secrets Manager secret window**:
1. **Secret Name** – A name for your secret.
1. **Client email** – The client email address that you copied from your Google service account.
1. **Admin account email** – The admin account email address that you would like to use.
1. **Private key** – The private key that you copied from your Google service account.
1. Choose **Save**.
1. **IAM role** – Choose an existing IAM role or create an IAM role to access your repository credentials and index content.
**Note**
Creating a new service IAM role is recommended.
For more information, see [IAM role](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/gmail-connector.html#gmail-iam).
1. In **Sync scope**, choose from the following entity types:
+ **Message attachments** – Choose to crawl email attachments. Messages are crawled by default.
1. For **Maximum file size** – Specify the file size limit in MBs that Amazon Q will crawl. Amazon Q will crawl only the files within the size limit you define. The default file size is 50MB. The maximum file size should be greater than 0MB and less than or equal to 50MB.
1. For **Additional configuration – *optional***, configure the comprehensive filtering options available in the original connector:
1. **Date range** – Enter a date range to specify the start and end date of email messages to be crawled.
1. **Email domains** – Include or exclude email messages based on domains.
1. **Keywords in subjects** – Include or exclude email messages based on keywords in their subjects.
**Note**
You can also choose to include any documents that match all the subject keywords that you have entered.
1. **Labels** – Add regular expression patterns to include or exclude specific labels. You can add up to 100 patterns.
1. **Attachments** – Add regular expression patterns to include or exclude specific attachments. You can add up to 100 patterns.
1. **Multi-media content configuration – optional** – To enable content extraction from embedded images and visuals in documents, choose **Visual content in documents**.
To extract audio transcriptions and video content, enable processing for the following file types:
1. For **Sync mode**, choose how you want to update your index when your data source content changes. When you sync your data source with Amazon Q for the first time, all content is synced by default.
+ **Full sync** – Sync all content regardless of the previous sync status.
+ **New, modified, or deleted content sync** – Sync only new, modified, and deleted documents.
1. **Configure VPC and security group – *optional*** – Choose whether you want to use a VPC. If you do, enter the following information:
1. **Subnets** – Select up to 6 repository subnets that define the subnets and IP ranges the repository instance uses in the selected VPC.
1. **VPC security groups** – Choose up to 10 security groups that allow access to your data source. Ensure that the security group allows incoming traffic from Amazon EC2 instances and devices outside your VPC. For databases, security group instances are required.
For more information, see [VPC](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-vpc).
1. In **Sync run schedule**, for **Frequency** – Choose how often Amazon Q will sync with your data source. For more details, see [Sync run schedule](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-sync-run). To learn how to start a data sync job, see [Starting data source connector sync jobs](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/supported-datasource-actions.html#start-datasource-sync-jobs).
1. **Tags - *optional*** – Add tags to search and filter your resources or track your AWS costs. See [Tags](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/tagging.html) for more details.
1. **Field mappings** – A list of data source document attributes to map to your index fields.
**Note**
Add or update the fields from the **Data source details** page after you finish adding your data source. You can choose from two types of fields:
1. **Default** – Automatically created by Amazon Q on your behalf based on common fields in your data source. You can't edit these.
1. **Custom** – Automatically created by Amazon Q on your behalf based on common fields in your data source. You can edit these. You can also create and add new custom fields.
**Note**
Support for adding custom fields varies by connector. You won't see the **Add field** option if your connector doesn't support adding custom fields.
For more information, see [Field mappings](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-field-mappings).
1. In **Data source details**, choose **Sync now** to allow Amazon Q to begin syncing (crawling and ingesting) data from your data source. When the sync job finishes, your data source is ready to use.
**Note**
View CloudWatch logs for your data source sync job by selecting **View CloudWatch logs**. If you encounter a `Resource not found exception` error, wait and try again as logs may not be available immediately.
You can also view a detailed document-level report by selecting **View Report**. This report shows the status of each document during the crawl, sync, and index stages, including any errors. If the report is empty for an in-progress job, check back later as data is emitted to the report as events occur during the sync process.
For more information, see [Troubleshooting data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/troubleshooting-data-sources.html#troubleshooting-data-sources-not-indexed).
# Connecting Amazon Q Business to Gmail using the new connector (API)
You use the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) action to connect a data source to your Amazon Q application. You can also use the [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) action to modify an existing data source configuration.
Then, you use the `configuration` parameter to provide a JSON blob that conforms the AWS-defined JSON schema.
For an example of the API request, see [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) and [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) in the Amazon Q API Reference.
## New Gmail connector JSON schema
The following is the new Gmail connector JSON schema:
```
{
"$schema": "http://json-schema.org/draft-07/schema#",
"type": "object",
"properties": {
"type": {
"type": "string",
"enum": ["GMAILV2"]
},
"connectionConfiguration": {
"type": "object",
"properties": {
"secretArn": {
"type": "string",
"pattern": "^arn:[a-z0-9-\\.]{1,63}:[a-z0-9-\\.]{0,63}:[a-z0-9-\\.]{0,63}:[a-z0-9-\\.]{0,63}:[^/].{0,1023}$"
}
},
"required": ["secretArn"]
},
"dataEntityConfiguration": {
"type": "object",
"properties": {
"crawlDraftEmails": {
"type": "boolean"
}
}
},
"filterConfiguration": {
"type": "object",
"properties": {
"maxFileSizeInMegaBytes": {
"type": "string",
"pattern": "^\\d+$"
},
"startDateFilter": {
"type": "string",
"format": "date-time"
},
"endDateFilter": {
"type": "string",
"format": "date-time"
}
}
},
"deletionProtectionConfiguration": {
"type": "object",
"properties": {
"enableDeletionProtection": {
"type": "boolean"
},
"deletionProtectionThreshold": {
"type": "string",
"pattern": "^(100|[1-9][0-9]?)$"
}
},
"required": ["enableDeletionProtection", "deletionProtectionThreshold"]
}
},
"required": [
"type",
"connectionConfiguration",
"dataEntityConfiguration"
]
}
```
The following table provides information about important JSON keys to configure for the new Gmail connector.
| Configuration | Description |
| --- | --- |
| type | The type of data source. Specify GMAILV2 for the new Gmail connector. |
| connectionConfiguration | Configuration information for connecting to the Gmail data source. |
| secretArn | The Amazon Resource Name (ARN) of a Secrets Manager secret that contains the key-value pairs required to connect to your Gmail. The secret must contain a JSON structure with the following keys: {
"adminAccountEmailId": "${adminAccountEmailId}",
"clientEmailId": "${clientEmailId}",
"privateKey": "${privateKey}"
} |
| dataEntityConfiguration | Configuration for the types of data entities to crawl. |
| crawlDraftEmails | A Boolean value to choose whether you want to crawl draft messages. Default is false. |
| filterConfiguration | Optional filtering configuration for the data source. |
| maxFileSizeInMegaBytes | Specify the maximum single file size limit in MBs that Amazon Q will crawl. Amazon Q will crawl only the files within the size limit you define. The default file size is 50MB. The maximum file size should be greater than 0MB and less than or equal to 50MB. |
| startDateFilter | Specify messages to be included from a certain start date onwards. Use ISO 8601 date-time format. |
| endDateFilter | Specify messages to be included up to a certain end date. Use ISO 8601 date-time format. |
| deletionProtectionConfiguration | Configuration for deletion protection to prevent accidental data loss. |
| enableDeletionProtection | A Boolean value to enable deletion protection. When enabled, prevents deletion of more than the specified threshold percentage of documents. |
| deletionProtectionThreshold | The maximum percentage (1-100) of documents that can be deleted in a single sync. Required when deletion protection is enabled. |
# Connecting Amazon Q Business to Gmail using the original connector (API)
You use the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) action to connect a data source to your Amazon Q application. You can also use the [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) action to modify an existing data source configuration.
Then, you use the `configuration` parameter to provide a JSON blob that conforms the AWS-defined JSON schema.
For an example of the API request, see [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) and [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) in the Amazon Q API Reference.
## Original Gmail connector JSON schema
The following is the original Gmail connector JSON schema:
```
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"connectionConfiguration": {
"type": "object",
"properties": {
}
},
"repositoryConfigurations": {
"type": "object",
"properties": {
"message": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": ["STRING", "STRING_LIST", "DATE"]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
}
},
"attachments": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": ["STRING"]
},
"dataSourceFieldName": {
"type": "string"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
}
}
},
"required": []
},
"additionalProperties": {
"type": "object",
"properties": {
"isCrawlAcl": {
"type": "boolean"
},
"fieldForUserId": {
"type": "string"
},
"inclusionLabelNamePatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"exclusionLabelNamePatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"inclusionAttachmentTypePatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"exclusionAttachmentTypePatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"inclusionAttachmentNamePatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"exclusionAttachmentNamePatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"inclusionSubjectFilter": {
"type": "array",
"items": {
"type": "string"
}
},
"exclusionSubjectFilter": {
"type": "array",
"items": {
"type": "string"
}
},
"isSubjectAnd": {
"type": "boolean"
},
"inclusionFromFilter": {
"type": "array",
"items": {
"type": "string"
}
},
"exclusionFromFilter": {
"type": "array",
"items": {
"type": "string"
}
},
"inclusionToFilter": {
"type": "array",
"items": {
"type": "string"
}
},
"exclusionToFilter": {
"type": "array",
"items": {
"type": "string"
}
},
"inclusionCcFilter": {
"type": "array",
"items": {
"type": "string"
}
},
"exclusionCcFilter": {
"type": "array",
"items": {
"type": "string"
}
},
"inclusionBccFilter": {
"type": "array",
"items": {
"type": "string"
}
},
"exclusionBccFilter": {
"type": "array",
"items": {
"type": "string"
}
},
"beforeDateFilter": {
"anyOf": [
{
"type": "string",
"pattern": "^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}Z$"
},
{
"type": "string",
"pattern": ""
}
]
},
"afterDateFilter": {
"anyOf": [
{
"type": "string",
"pattern": "^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}Z$"
},
{
"type": "string",
"pattern": ""
}
]
},
"isCrawlAttachment": {
"type": "boolean"
},
"shouldCrawlDraftMessages": {
"type": "boolean"
},
"maxFileSizeInMegaBytes": {
"type": "string"
}
},
"required": [
"isCrawlAttachment",
"shouldCrawlDraftMessages"
]
},
"type" : {
"type" : "string",
"pattern": "GMAIL"
},
"syncMode": {
"type": "string",
"enum": [
"FORCED_FULL_CRAWL",
"FULL_CRAWL"
]
},
"enableIdentityCrawler": {
"type": "boolean"
},
"secretArn": {
"type": "string",
"minLength": 20,
"maxLength": 2048
},
"version": {
"type": "string",
"anyOf": [
{
"pattern": "1.0.0"
}
]
}
},
"required": [
"connectionConfiguration",
"repositoryConfigurations",
"additionalProperties",
"syncMode",
"secretArn",
"type"
]
}
```
The following table provides information about important JSON keys to configure.
| Configuration | Description |
| --- | --- |
| connectionConfiguration | Configuration information for the endpoint for the data source. |
| repositoryConfigurations | Configuration information for the content of the data source. For example, configuring specific types of content and field mappings. Specify the type of data source and the secret ARN. |
| [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/gmail-original-api.html) | A list of objects that map the attributes or field names of your Gmail messages and attachments to Amazon Q index field names. |
| additionalProperties | Additional configuration options for your content in your data source. |
| isCrawlAcl | Specify true to crawl access control information from documents. Amazon Q Business crawls ACL information by default to ensure responses are generated only from documents your end users have access to. See [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization) for more details. |
| fieldForUserId | Specify field to use for UserId for ACL crawling. |
| [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/gmail-original-api.html) | A list of regular expression patterns to include or exclude messages with specific subject names in your Gmail data source. Files that match the patterns are included in the index. If a file matches both an inclusion and an exclusion pattern, the exclusion pattern takes precedence, and the file isn't included in the index. |
| isSubjectAnd | true to index. |
| beforeDateFilter | Specify messages and attachments to be included before a certain date. |
| afterDateFilter | Specify messages and attachments to be included after a certain date. |
| isCrawlAttachment | A Boolean value to choose whether you want to crawl attachments. Messages are automatically crawled. |
| maxFileSizeInMegaBytes | Specify the maximum single file size limit in MBs that Amazon Q will crawl. Amazon Q will crawl only the files within the size limit you define. The default file size is 50MB. The maximum file size should be greater than 0MB and less than or equal to 50MB. |
| type | The type of data source. Specify GMAIL as your data source type. |
| shouldCrawlDraftMessages | A Boolean value to choose whether you want to crawl draft messages. |
| syncMode | Specify whether Amazon Q should update your index by syncing all documents or only new, modified, and deleted documents. You can choose from the following options:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/gmail-original-api.html) Because there is no API to update permanently deleted Gmail messages, a **New, modified, or deleted content sync** does *not* do the following: Remove messages that were permanently deleted from Gmail from your Amazon Q index Sync changes in Gmail email labels To sync your Gmail data source label changes and permanently deleted email messages to your Amazon Q index, you must run full crawls periodically. |
| enableIdentityCrawler | Specify true to use the Amazon Q identity crawler to sync identity/principal information on users and groups with access to specific documents. Amazon Q Business crawls identity information from your data source by default to ensure responses are generated only from documents end users have access to. For more information, see [Identity crawler](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-identity-crawler). |
| secretARN | The Amazon Resource Name (ARN) of a Secrets Manager secret that contains the key-value pairs required to connect to your Gmail. The secret must contain a JSON structure with the following keys: {
"adminAccountEmailId": "${adminAccountEmailId}",
"clientEmailId": "${clientEmailId}",
"privateKey": "${privateKey}"
} |
| version | The version of the template that's currently supported. |
# How Amazon Q Business connector crawls Gmail ACLs
Connectors support crawling ACL and identity information where applicable based on the data source. If you index documents without ACLs, all documents are considered public. Indexing documents with ACLs ensures data security.
Amazon Q Business supports crawling ACLs for document security by default.
When you connect an Gmail data source to Amazon Q Business, Amazon Q Business crawls ACL information attached to a document (user and group information) from your Gmail instance. ACL crawling behavior differs between the two Gmail connector versions.
**Note**
**ACL behavior by connector version:**
**Latest connector:** ACL and identity crawling is automatically enabled and cannot be disabled. Only applies to email messages and draft emails - attachments are not supported.
**Legacy connector:** ACL and identity crawling can be manually configured during setup. Applies to both messages and attachments when attachment crawling is enabled.
The legacy Gmail connector for Amazon Q Business crawls 2 primary content types: messages (email along with metadata such as subject, from, or to) and attachments. Each email message (in sent and inbox) and its respective attachments is considered as a separate document with distinct document IDs. Currently, the connector cannot associate an attachment with its parent message, even though attachments inherit permissions from parent messages.
**Note**
**Latest connector limitations:** The latest Gmail connector does not support attachment crawling. The latest Gmail connector does not support attachment crawling. If your organization requires attachment indexing, use the legacy connector instead.
**Permission Inheritance**: ACLs for messages are set based on user email addresses. **Legacy connector only:** Attachments automatically inherit permissions from parent email messages when attachment crawling is enabled.
**ACL indexing**: Individual user synchronization is supported based on email addresses, and domain-wide access is supported using service account authentication.
**Change Management**: ACL changes are supported in both Full Crawl and Incremental or Change Log modes.
**Failure handling** The connector implements a fail-close approach for API failures, with rate limiting handled through queue-based wait time with exponential backoff. When permissions issues occur, documents are skipped from ingestion rather than being made publicly accessible.
For more information, see:
+ [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization)
+ [Identity crawler](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-identity-crawler)
+ [Understanding User Store](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-principal-store.html)
**Note**
**ACL behavior by connector version:**
**New connector:** ACL and identity crawling is automatically enabled and cannot be disabled. No manual configuration is required.
**Original connector:** ACL and identity crawling can be manually configured during setup.
# Gmail data source connector field mappings
You can improve search results and customize your users' chat experience by mapping document attributes from your Gmail data to fields in your Amazon Q index.
With Amazon Q, you can map two types of attributes to index fields:
+ **Reserved or default** – Reserved attributes are based on document attributes that commonly occur in most data. You can use reserved attributes to map commonly occurring document attributes in your data source to Amazon Q index fields.
+ **Custom** – You can create custom attributes to map document attributes that are unique to your data to Amazon Q index fields.
When you connect Amazon Q to a data source, Amazon Q automatically maps specific data source document attributes to fields within an Amazon Q index. If a document attribute in your data source doesn't have an attribute mapping already available, or if you want to map additional document attributes to index fields, you can use custom field mappings to specify how a data source attribute maps to an Amazon Q index field. You create field mappings by editing your data source after you create your application and retriever.
To learn more about document attributes and how they work in Amazon Q, see [Document attributes and types in Amazon Q](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/doc-attributes.html).
**Important**
Filtering using document attributes in chat is only supported through the API.
The Amazon Q Gmail connector supports the following entities and the associated reserved and custom attributes.
**Topics**
+ [Messages](#gmail-field-mappings-messages)
## Messages
| Gmail field name | Index field name | Description | Data type |
| --- | --- | --- | --- |
| category | \$1category | Default | String |
| internalDate | \$1created\$1at | Default | Date |
| id | gmail\$1message\$1is | Custom | String |
| labelIds | gmail\$1message\$1label\$1ids | Custom | String list |
| historyId | gmail\$1message\$1history\$1id | Custom | String |
| subject | gmail\$1subject | Custom | String |
| from | gmail\$1from | Custom | String |
| to | gmail\$1to | Custom | String list |
| cc | gmail\$1cc | Custom | String list |
| bcc | gmail\$1bcc | Custom | String list |
**Note**
**Original connector only:** Field mappings are only available when using the original Gmail connector. The new connector uses optimized default field mappings that cannot be customized.
# IAM role for Amazon Q Business Gmail connector
**Note**
**Applies to both connector versions:** The IAM role requirements are the same for both the new and original Gmail connectors. However, the new connector automatically handles VPC configurations, while the original connector allows manual VPC setup.
If you use the AWS CLI or an AWS SDK, you must create an AWS Identity and Access Management (IAM) policy before you create an Amazon Q resource. When you call the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) operation, you provide the Amazon Resource Name (ARN) role with the policy attached.
If you use the AWS Management Console, you can create a new IAM role in the Amazon Q console or use an existing IAM role.
To learn more about IAM roles, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) in the *AWS Identity and Access Management User Guide*.
To connect your data source connector to Amazon Q, you must give Amazon Q an IAM role that has the following permissions:
+ Permission to access the `BatchPutDocument` and `BatchDeleteDocument` operations to ingest documents.
+ Permission to access the [User Store](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-principal-store.html) API operations to ingest user and group access control information from documents.
+ Permission to access your AWS Secrets Manager secret to authenticate your data source connector instance.
+ **(Optional)** If you're using Amazon VPC, permission to access your Amazon VPC.
```
{
"Version": "2012-10-17", ,
"Statement": [
{
"Sid": "AllowsAmazonQToGetSecret",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Sid": "AllowsAmazonQToDecryptSecret",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Sid": "AllowsAmazonQToIngestDocuments",
"Effect": "Allow",
"Action": [
"qbusiness:BatchPutDocument",
"qbusiness:BatchDeleteDocument"
],
"Resource": [
"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}",
"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/index/{{index_id}}"
]
},
{
"Sid": "AllowsAmazonQToIngestPrincipalMapping",
"Effect": "Allow",
"Action": [
"qbusiness:PutGroup",
"qbusiness:CreateUser",
"qbusiness:DeleteGroup",
"qbusiness:UpdateUser",
"qbusiness:ListGroups"
],
"Resource": [
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}",
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}",
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}/data-source/*"
]
},
{
"Sid": "AllowsAmazonQToCreateAndDeleteNI",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
],
"Resource": [
"arn:aws:ec2:{{region}}:{{account_id}}:subnet/[[subnet_ids]]",
"arn:aws:ec2:{{region}}:{{account_id}}:security-group/[[security_group]]"
]
},
{
"Sid": "AllowsAmazonQToCreateAndDeleteNIForSpecificTag",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringLike": {
"aws:RequestTag/AMAZON_Q": "qbusiness_{{account_id}}_{{application_id}}_*"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"AMAZON_Q"
]
}
}
},
{
"Sid": "AllowsAmazonQToCreateTags",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateNetworkInterface"
}
}
},
{
"Sid": "AllowsAmazonQToCreateNetworkInterfacePermission",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringLike": {
"aws:ResourceTag/AMAZON_Q": "qbusiness_{{account_id}}_{{application_id}}_*"
}
}
},
{
"Sid": "AllowsAmazonQToDescribeResourcesForVPC",
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeVpcs",
"ec2:DescribeRegions",
"ec2:DescribeNetworkInterfacePermissions",
"ec2:DescribeSubnets"
],
"Resource": "*"
}
]
}
```
**To allow Amazon Q to assume a role, you must also use the following trust policy:**
```
{
"Version": "2012-10-17", ,
"Statement": [
{
"Sid": "AllowsAmazonQServicePrincipal",
"Effect": "Allow",
"Principal": {
"Service": "qbusiness.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{source_account}}"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}"
}
}
}
]
}
```
For more information on Amazon Q data source connector IAM roles, see [IAM roles for Amazon Q data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds).
# Understand error codes in the Amazon Q Business Gmail connector
The following table provides information about error codes you may see for the Gmail connector and suggested resolutions.
| Error code | Error message | Suggested resolution |
| --- | --- | --- |
| GML-5001 | There was a problem while retrieving directory. | There was a problem while retrieving directory because of incorrect credentials. Provide correct credentials and try again. |
| GML-5002 | There was a problem while retrieving user specific Gmail object. | There was a problem while retrieving user specific Gmail object because of incorrect credentials. Provide correct credentials and try again. |
| GML-5003 | Connection lost - A problem occurred while validating credentials. | Connection was lost due to invalid credentials. Provide correct credentials and try again. |
| GML-5004 | There was a problem while retrieving the user list because the API was not responding. | There was a problem while retrieving the user list because the API was not responding. Try again. |
| GML-5100 | There was a problem while retrieving repository configurations. Repository configurations may be empty or incorrect. | Repository configurations should not be empty or incorrect. Provide valid details for repository configurations. |
| GML-5101 | There was a problem while retrieving message entity from repository configurations. No message entity found in repository configurations. | Message entity should not be empty. Check if message entity is present in repository configurations and provide the same if not present. |
| GML-5102 | There was a problem while retrieving attachment entity from repository configurations. No attachment entity found in repository configurations. | Attachment entity should not be empty. Check if attachment entity is present in repository configurations and provide the same if not present. |
| GML-5103 | There was a problem while retrieving field mappings for message entity from repository configurations. Field mappings may be empty or incorrect. | Field mappings should not be empty or incorrect. Provide proper field mappings for message entity in repository configurations. |
| GML-5104 | There was a problem while retrieving field mappings for attachment entity from repository configurations. Field mappings may be empty or incorrect. | Field mappings should not be empty or incorrect. Provide proper field mappings for message entity in repository configurations. |
| GML-5105 | There was a problem while retrieving field mapping values for message entity. Field mapping values may be empty or incorrect. | Field mappings values should not be empty or incorrect. Provide proper field mapping values for message entity in repository configurations. |
| GML-5106 | There was a problem while retrieving field mapping values for attachment entity. Field mapping values may be empty or incorrect. | Field mappings values should not be empty or incorrect. Provide proper field mapping values for message entity in repository configurations. |
| GML-5107 | There was a problem while parsing before/after date filter value. Before/After date format may be incorrect. | Provide correct before/after date format. E.g. yyyy-MM-ddTHH:mm:ssZ. |
| GML-5108 | There was a problem while retrieving client email id. Client email id may be empty or incorrect. | The client email id should not be empty or incorrect. Provide correct client email id. |
| GML-5109 | There was a problem while retrieving admin account email id. Admin account email id may be empty or incorrect. | The admin account email id should not be empty or incorrect. Provide correct admin account email id. |
| GML-5110 | There was a problem while retrieving private key. Private key may be empty or incorrect. | The private key should not be empty or incorrect. Provide correct private key. |
| GML-5111 | One or more of the provided filter regex are invalid. | Provide correct regex value in filter fields. |
| GML-5200 | There was a problem while retrieving Gmail items. | There was a problem while retrieving Gmail items because user is not provided. Ensure that user is not empty. |
| GML-5201 | There was a problem while retrieving the message body because the API was not responding. | There was a problem while retrieving the message body because the API was not responding. Try again. |
| GML-5202 | There was a problem while retrieving the message subject because the API was not responding. | There was a problem while retrieving the message subject because the API was not responding. Try again. |
| GML-5203 | There was a problem while retrieving the attachment because the API was not responding. | There was a problem while retrieving the attachment because the API was not responding. Try again. |
| GML-5204 | There was a problem while retrieving the message metadata because the API was not responding. | There was a problem while retrieving the message metadata because the API was not responding. Try again. |
| GML-5205 | There was a problem while retrieving the attachment metadata because the API was not responding. | There was a problem while retrieving the attachment metadata because the API was not responding. Try again. |
| GML-5206 | There was a problem while retrieving the message because the API was not responding. | There was a problem while retrieving the message because the API was not responding. Try again. |
| GML-5500 | Connection timed out - API is not responding. The threshold number of API calls has been exceeded. | Timeout exception occurred due to API not responding. The threshold number of API hits has been exceeded. Try again. |