# Connecting Slack to Amazon Q Business
Slack is an enterprise communications app that lets users send messages and attachments through various public and private channels. You can connect your Slack instance to Amazon Q Business—using either the AWS Management Console, CLI, or the [https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) API—and create an Amazon Q web experience.
**Topics**
+ [Known limitations for the Slack connector](slack-limitations.md)
+ [Slack connector overview](slack-overview.md)
+ [Prerequisites for connecting Amazon Q Business to Slack](slack-prereqs.md)
+ [Setting up Slack for connecting to Amazon Q](slack-credentials.md)
+ [Connecting Amazon Q Business to Slack using the console](slack-console.md)
+ [Connecting Amazon Q Business to Slack using APIs](slack-api.md)
+ [Connecting Amazon Q Business to Slack using AWS CloudFormation](slack-cfn.md)
+ [How Amazon Q Business connector crawls Slack ACLs](slack-user-management.md)
+ [Slack data source connector field mappings](slack-field-mappings.md)
+ [IAM role for the Slack connector](slack-iam-role.md)
**Learn more**
+ For an overview of the Amazon Q web experience creation process using IAM Identity Center, see [Configuring an application using IAM Identity Center](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-application.html).
+ For an overview of the Amazon Q web experience creation process using AWS Identity and Access Management, see [Configuring an application using IAM](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-application-iam.html).
+ For an overview of connector features, see [Data source connector concepts](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html).
+ For information about connector configuration best practices, see [Connector configuration best practices](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-best-practices.html).
# Known limitations for the Slack connector
The Slack connector has the following known limitations:
+ Due to API limitations, the Amazon Q Slack connector can only retrieve a maximum of 100 pages, with 100 files per page. Given this limitation, the Slack connector can only crawl a maximum of 10,000 files per channel.
# Slack connector overview
The following table gives an overview of the Amazon Q Business Slack connector and its supported features.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/slack-overview.html)
# Prerequisites for connecting Amazon Q Business to Slack
Before you begin, make sure that you have completed the following prerequisites.
**In Slack, make sure you have:**
+ Created a Slack Bot User OAuth token or Slack User OAuth token. You can choose either token to connect Amazon Q to your Slack data source. See [Slack documentation on access tokens](https://api.slack.com/authentication/token-types) for more information.
**Note**
If you use the bot token as part of your Slack credentials, you cannot index direct messages and group messages. You must add the bot token to the channel you want to index.
+ Noted your Slack workspace team ID from your Slack workspace main page URL. For example, *https://app.slack.com/client/T0123456789/... * where *T0123456789* is the team ID.
+ Added the required OAuth scopes/ read permissions. See [Setting up Slack](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/slack-credentials.html) for more details.
**In your AWS account, make sure you have:**
+ Created a Amazon Q Business application.
+ Created a [Amazon Q Business retriever and added an index](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/select-retriever.html).
+ Created an [IAM role](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds) for your data source and, if using the Amazon Q API, noted the ARN of the IAM role.
+ Stored your Slack authentication credentials in an AWS Secrets Manager secret and, if using the Amazon Q API, noted the ARN of the secret.
**Note**
If you’re a console user, you can create the IAM role and Secrets Manager secret as part of configuring your Amazon Q application on the console.
For a list of things to consider while configuring your data source, see [ Data source connector configuration best practices](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-best-practices.html).
**Note**
For more information on connecting Slack to Amazon Q Business, see [Unlock the knowledge in your Slack workspace with Slack connector for Amazon Q Business](https://aws.amazon.com/blogs/machine-learning/unlock-the-knowledge-in-your-slack-workspace-with-slack-connector-for-amazon-q-business/) in the *AWS Machine Learning Blog*.
# Setting up Slack for connecting to Amazon Q
Before you connect Slack to Amazon Q, you need to create and retrieve the Slack credentials you will use to connect Slack to Amazon Q. You will also need to add any permissions needed by Slack to connect to Amazon Q.
The following procedure gives you an overview of how to configure Slack for connecting with Amazon Q.
**Configuring Slack authentication for Amazon Q**
1. Log in to your [Slack account](https://slack.com/signin) and sign into your Slack workspace.
**Note**
To configure Slack for Amazon Q, you must be an admin user in the Slack account.
1. From the workspace menu, select **Tools and settings** and then select **Manage apps**.
![\[Screenshot of the Slack workspace menu showing how to access the App Directory to create a new app for integration.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/slack-1.png)
1. From the **Slack App Directory** menu, select **Build**.
![\[Screenshot of the Slack App Directory menu with the "Build" option highlighted, which is used to create a new app for integration.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/slack-2.png)
1. On the **Your Apps** page, select **Create an App**.
![\[Screenshot of the Slack "Your Apps" page showing the "Create an App" button that users need to click to begin creating a new Slack app.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/slack-3.png)
1. On the **Create an app** page, select **From scratch**.
![\[Screenshot of the Slack "Create an app" page showing the "From scratch" option that allows users to create a new app from the beginning.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/slack-4.png)
1. In the **Name app & choose workspace** dialog box that opens, add an **App name** and **Pick a workspace to deploy your app in**. Then select **Create App**.
![\[Screenshot of the "Name app & choose workspace" dialog box where users enter an app name and select a workspace for deployment.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/slack-11.png)
1. On the **Basic Information** page, from the **Settings** menu, select **OAuth & Permissions**.
![\[Screenshot of the Slack app's "Basic Information" page with the "OAuth & Permissions" option highlighted in the Settings menu.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/slack-5.png)
1. On the **OAuth & Permissions** page, go to **Scopes**, and then do the following based on whether you want to use a Bot Token to connect Slack to Amazon Q, or a User Token:
**Important**
If you use the bot token as part of your Slack credentials, you cannot index direct messages and group messages, and you must add the bot token to the channel you want to index. For information on Slack token types, see [Token types](https://api.slack.com/authentication/token-types) in Slack API.
+ Add the following **Bot Token Scopes**:
![\[Screenshot of the Slack "OAuth & Permissions" page showing the Bot Token Scopes section where users can add permission scopes for the bot.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/slack-6.png)
+ `channels:history` – View messages and other content in public channels that your app has been added to
+ `channels:manage` – Manage public channels that your app has been added to and create new ones
+ `channels:read` – View basic information about public channels in a workspace
+ `conversations.connect:manage` – Receive Slack Connect invite events sent to the channels your app is in
+ `conversations.connect:read` – Receive Slack Connect invite events sent to the channels your app is in
+ `files:read` – View files shared in channels and conversations that your app has been added to
+ `groups:history` – View messages and other content in private channels that your app has been added to
+ `groups:read` – View basic information about private channels that your app has been added to
+ `im:history` – View messages and other content in direct messages that your app has been added to
+ `im:read` – View basic information about direct messages that your app has been added to
+ `mpim:history` – View messages and other content in group direct messages that your app has been added to
+ `mpim:read` – View basic information about group direct messages that your app has been added to
+ `reactions:read` – View emoji reactions and their associated content in channels and conversations that your app has been added to
+ `team:read` – View the name, email domain, and icon for workspaces your app is connected to
+ `usergroups:read` – Create and manage user groups
+ `users.profile:read` – View profile details about people in a workspace
+ `users:read` – View people in a workspace
+ `users:read.email` – View email addresses of people in a workspace
+ Add the following **User Token Scopes**:
![\[Screenshot of the Slack "OAuth & Permissions" page showing the User Token Scopes section where users can add permission scopes for user-level access.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/slack-7.png)
+ `channels:history` – View messages and other content in a user’s public channels
+ `channels:read` – View basic information about public channels in a workspace
+ `emoji:read` – View custom emoji in a workspace
+ `files:read` – View files shared in channels and conversations that a user has access to
+ `groups:history` – View messages and other content in a user’s private channels
+ `groups:read` – View basic information about a user’s private channels
+ `im:history` – View messages and other content in a user’s direct messages
+ `im:read` – View basic information about a user’s direct messages
+ `mpim:history` – View messages and other content in a user’s group direct messages
+ `mpim:read` – View basic information about a user’s group direct messages
+ `team:read` – View the name, email domain, and icon for workspaces a user is connected to
+ `users.profile:read` – View profile details about people in a workspace
+ `users:read.email` – View email addresses of people in a workspace
+ `users:read` – View people in a workspace
1. Then, scroll to **OAuth Tokens** section, and choose **Install to Workspace**.
![\[Screenshot of the Slack "OAuth & Permissions" page showing the "Install to Workspace" button that users need to click to install the app to their workspace.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/slack-8.png)
1. On the dialog box that opens up informing you that the app that you created is requesting permission to access the Slack workspace you wanted to connect it to, select **Allow**.
![\[Screenshot of the Slack permission request dialog box asking for authorization to access the workspace, with an "Allow" button for users to grant permissions.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/slack-9.png)
On successful completion, the console will display a **OAuth Tokens** screen.
1. From the **OAuth Tokens** screen, copy and save the OAuth token you will use to connect to Amazon Q—either **User OAuth Token** or **Bot User OAuth Token**. You input this as **Slack token** when you connect to Amazon Q.
![\[Screenshot of the Slack "OAuth Tokens" screen displaying the generated OAuth tokens that need to be copied for connecting to Amazon Q Business.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/slack-10.png)
1. Next, you retrieve your Slack team ID. You need this to connect to Amazon Q.
From the Slack workspace menu, select **Tools and settings** and then select **Manage apps**. You'll find your team ID in the URL of the page that opens.
![\[alt text not found\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/slack-1.png)
![\[Screenshot showing the URL of the Slack workspace management page with the team ID highlighted, which is needed for connecting to Amazon Q Business.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/slack-12.png)
You now have the Slack Team ID and Slack token you need to connect to Amazon Q.
# Connecting Amazon Q Business to Slack using the console
The following procedure outlines how to connect Amazon Q Business to Slack using the AWS Management Console.
**Connecting Amazon Q to Slack**
1. Sign in to the AWS Management Console and open the Amazon Q Business console.
1. From the left navigation menu, choose **Data sources**.
1. From the **Data sources** page, choose **Add data source**.
1. Then, on the **Add data sources** page, from **Data sources**, add the **Slack** data source to your Amazon Q application.
1. Then, on the **Slack** data source page, enter the following information:
1. **Name and description**, do the following:
+ For **Data source name** – Name your data source for easy tracking.
**Note**
You can include hyphens (-) but not spaces. Maximum of 1,000 alphanumeric characters.
+ **Description – *optional*** – Add an optional description for your data source. This text is viewed only by Amazon Q Business administrators and can be edited later.
1. In **Source**, **Slack workspace team ID** – The team ID of your Slack workspace.
1. **Authorization** – Amazon Q Business crawls ACL information by default to ensure responses are generated only from documents your end users have access to. If supported for your connector, you can manage ACLs by selecting ** Enable ACLs ** to enable ACLs or **Disable ACLs** to disable them. To manage ACLs, you need specific IAM permissions. See [Grant permission to create data sources with ACLs disabled](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/setting-up.html#DisableAclOnDataSource) for more details. See [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization) for more details.
1. **Authentication** – Enter the following information for your **AWS Secrets Manager secret**.
1. **Secret name** – A name for your secret.
1. For **Slack token** – Enter the authentication credential values you created in your Slack account.
1. **Configure VPC and security group – *optional*** – Choose whether you want to use a VPC. If you do, enter the following information:
1. **Subnets** – Select up to 6 repository subnets that define the subnets and IP ranges the repository instance uses in the selected VPC.
1. **VPC security groups** – Choose up to 10 security groups that allow access to your data source. Ensure that the security group allows incoming traffic from Amazon EC2 instances and devices outside your VPC. For databases, security group instances are required.
For more information, see [VPC](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-vpc).
1. **IAM role** – Choose an existing IAM role or create an IAM role to access your repository credentials and index content.
**Note**
Creating a new service IAM role is recommended.
For more information, see [IAM role](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/slack-connector.html#slack-iam).
1. In **Sync scope**, enter the following information:
1. **Select type of content to crawl** – Select any combination of **All channels**, **Public channels**, **Private channels**, **Group messages**, and **Private messages**.
1. **Select crawl start date** – Choose the date from which the Amazon Q connector will start crawling content.
1. For **Maximum file size** – Specify the file size limit in MBs that Amazon Q will crawl. Amazon Q will crawl only the files within the size limit you define. The default file size is 50MB. The maximum file size should be greater than 0MB and less than or equal to 50MB.
1. **Additional configuration – optional** – Configure the following settings:
+ In **Channels** (available only if you've chosen to crawl **Channels**), do the following:
+ **Channel ID/Name** – Choose between **Channel ID** and **Channel Name**.
**Note**
You can choose to configure both.
+ For **Channel ID** – Enter the **Channel ID**. The **Channel ID** filter applies to both public and private channels.
+ For **Channel Name** – Choose the **Channel type** and enter the **Channel name**. You can select between **Public channel** and **Private channel**.
**Note**
If you choose to configure filters for both **Channel ID** and **Channel Name**, the Amazon Q Slack connector will prioritize channel IDs over channel names.
If you choose to configure filters for either **Channel ID** or **Channel Name**, the Amazon Q Slack connector will ignore **Private** and **Group** messages even if you've chosen to crawl private and group messages in **Sync scope**.
+ In **Messages**, for **Select sync scope for content** – Choose to **Include bot messages**, and/or **Include archived messaged**.
+ **Regex patterns** – Add regex patterns to include or exclude file names or file types. You can add a total of 100 patterns. Examples of regex patterns include:
+ **File type** – .pdf, .docx
+ **File name** – Hello\$1.txt, TestFile.\$1
1. **Multi-media content configuration – optional** – To enable content extraction from embedded images and visuals in documents, choose **Visual content in documents**.
To extract audio transcriptions and video content, enable processing for the following file types:
1. **Advanced settings**
**Document deletion safeguard** - *optional*–To safeguard your documents from deletion during a sync job, select **On** and enter an integer between 0 - 100. If the percentage of documents to be deleted in your sync job exceeds the percentage you selected, the delete phase will be skipped and no documents from this data source will be deleted from your index. For more information, see [Document deletion safeguard](connector-concepts.md#document-deletion-safeguard).
1. For **Sync mode**, choose how you want to update your index when your data source content changes. When you sync your data source with Amazon Q for the first time, all content is synced by default.
+ **Full sync**—Sync all content regardless of the previous sync status.
+ **New, modified, or deleted content sync**—Sync only new, modified, and deleted documents.
1. In **Sync run schedule**, for **Frequency** – Choose how often Amazon Q will sync with your data source. For more details, see [Sync run schedule](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-sync-run). To learn how to start a data sync job, see [Starting data source connector sync jobs](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/supported-datasource-actions.html#start-datasource-sync-jobs).
1. **Tags - *optional*** – Add tags to search and filter your resources or track your AWS costs. See [Tags](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/tagging.html) for more details.
1. **Field mappings** – A list of data source document attributes to map to your index fields.
**Note**
Add or update the fields from the **Data source details** page after you finish adding your data source. You can choose from two types of fields:
1. **Default** – Automatically created by Amazon Q on your behalf based on common fields in your data source. You can't edit these.
1. **Custom** – Automatically created by Amazon Q on your behalf based on common fields in your data source. You can edit these. You can also create and add new custom fields.
**Note**
Support for adding custom fields varies by connector. You won't see the **Add field** option if your connector doesn't support adding custom fields.
For more information, see [Field mappings](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-field-mappings).
1. In **Data source details**, choose **Sync now** to allow Amazon Q to begin syncing (crawling and ingesting) data from your data source. When the sync job finishes, your data source is ready to use.
**Note**
View CloudWatch logs for your data source sync job by selecting **View CloudWatch logs**. If you encounter a `Resource not found exception` error, wait and try again as logs may not be available immediately.
You can also view a detailed document-level report by selecting **View Report**. This report shows the status of each document during the crawl, sync, and index stages, including any errors. If the report is empty for an in-progress job, check back later as data is emitted to the report as events occur during the sync process.
For more information, see [Troubleshooting data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/troubleshooting-data-sources.html#troubleshooting-data-sources-not-indexed).
# Connecting Amazon Q Business to Slack using APIs
You use the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) action to connect a data source to your Amazon Q application. You can also use the [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) action to modify an existing data source configuration.
Then, you use the `configuration` parameter to provide a JSON blob that conforms the AWS-defined JSON schema.
For an example of the API request, see [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) and [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) in the Amazon Q API Reference.
**Topics**
+ [Slack configuration properties](#slack-configuration-keys)
+ [Slack JSON schema](#slack-json)
+ [Slack JSON schema example](#s3-api-json-example)
## Slack configuration properties
The following provides information about important configuration properties required in the schema.
| Configuration | Description | Type | Required |
| --- | --- | --- | --- |
| `connectionConfiguration` | Configuration information for the endpoint for the data source. | `object` This property has the following sub-property: `repositoryEndpointMetadata`. | Yes |
| `repositoryEndpointMetadata` | The endpoint information for the data source. | `object` This property has the following sub-property: `teamId`. | Yes |
| `teamId` | The Slack team ID you copied from your Slack main page URL. | `string` | Yes |
| `repositoryConfigurations` | Configuration information for the content of the data source. For example, configuring specific types of content and field mappings. | `object` This property has the following sub-property: `All`. | No |
| `All` | A list of objects that map the attributes or field names of your Slack pages and assets to Amazon Q index field names. | `object` This property has the following sub-properties: `indexFieldName`, `indexFieldType`, `dataSourceFieldName`, and `dateFieldFormat`. | Yes |
| `indexFieldName` | The field name of your Slack pages and assets. | `string` | Yes |
| `indexFieldType` | The field type of your Slack pages and assets. | `string` The allowed values are `STRING`, `STRING_LIST`, and `DATE`. | Yes |
| `dataSourceFieldName` | The data source field name of your Slack pages and assets. | `string` | Yes |
| `dateFieldFormat` | The date format of your Slack pages and assets. | `string` Specify the date format in the form `yyyy-MM-dd'T'HH:mm:ss'Z'` | No |
| `additionalProperties` | Additional configuration options for your content in your data source. | `object` This property has the following sub-properties. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/slack-api.html) | Yes |
| `isCrawlAcl` | Specify true to crawl access control information from documents. Amazon Q Business crawls ACL information by default to ensure responses are generated only from documents your end users have access to. See [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization) for more details. | `boolean` | No |
| `maxFileSizeInMegaBytes` | Specify the maximum single file size limit in MBs that Amazon Q will crawl. Amazon Q will crawl only the files within the size limit you define. The default file size is 50MB. The maximum file size should be greater than 0MB and less than or equal to 50MB. | `string` | No |
| `fieldForUserId` | Specify field to use for UserId for ACL crawling. | `string` | No |
| `inclusionPatterns` | A list of regular expression patterns to include specific content in your Slack data source. Content that matches the patterns are included in the index. Content that doesn't match the patterns are excluded from the index. If any content matches both an inclusion and exclusion pattern, the exclusion pattern takes precedence, and the content isn't included in the index. | `array` | No |
| `exclusionPatterns` | A list of regular expression patterns to exclude specific content in your Slack data source. Content that matches the patterns are excluded from the index. Content that doesn't match the patterns are included in the index. If any content matches both an inclusion and exclusion pattern, the exclusion pattern takes precedence, and the content isn't included in the index. | `array` | No |
| `crawlBotMessages` | `true` to crawl Slack bot messages. | `boolean` | No |
| `excludeArchived` | `true` to exclude archived messages from crawl. | `boolean` | No |
| `conversationType` | The type of conversation that you want to index. | `string` Valid values are `PUBLIC_CHANNEL`, `PRIVATE_CHANNEL`, `GROUP_MESSAGE`, and `DIRECT_MESSAGE`. | No |
| `channelFilter` | The type of channel that you want to index whether private\$1channel or public\$1channel. | `object` This property has the following sub-properties: `private_channel` and `public_channel`. | No |
| `private_channel` | The IDs of the private channel that you want to index. | `array` | No |
| `public_channel` | The IDs of public channel that you want to index. | `array` | No |
| `channelIdFilter` | You can choose to crawl specific channels vy channel ID using the channelIdFilter. | `array` | No |
| `sinceDate` | You can choose to configure a sinceDate parameter so that the Slack connector crawls content based on a specific sinceDate. | `string` Specify the date in the form `^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}Z$` or as an empty string. | No |
| `lookBack` | You can choose to configure a lookBack parameter so that the Slack connector crawls lookBack content. | `string` Specify the value in the form `^[0-9]*$`. | No |
| `syncMode` | Specify whether Amazon Q should update your index by syncing all documents or only new, modified, and deleted documents. | `string` You can choose between the following options: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/slack-api.html) | Yes |
| `type` | The type of data source. Specify SLACK as your data source type. | `string` | Yes |
| `enableIdentityCrawler` | Specify true to use the Amazon Q identity crawler to sync identity/principal information on users and groups with access to specific documents. Amazon Q Business crawls identity information from your data source by default to ensure responses are generated only from documents end users have access to. For more information, see [Identity crawler](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-identity-crawler). | `boolean` | Yes |
| `secretArn` | The Amazon Resource Name (ARN) of an AWS Secrets Manager secret that contains the key-value pairs required to connect to your Slack. | `string` The secret must contain a JSON structure with the following keys: {
"slackToken": "token"
} | Yes |
| `version` | The version of this template that's currently supported. | `string` | No |
## Slack JSON schema
The following is the Slack JSON schema:
```
{
"type": "object",
"properties": {
"type": {
"type": "string",
"pattern": "SLACK"
},
"syncMode": {
"type": "string",
"enum": ["FORCED_FULL_CRAWL", "FULL_CRAWL", "CHANGE_LOG"]
},
"secretArn": {
"type": "string"
},
"enableIdentityCrawler": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
},
"connectionConfiguration": {
"type": "object",
"properties": {
"repositoryEndpointMetadata": {
"type": "object",
"properties": {
"teamId": {
"type": "string"
}
},
"required": ["teamId"]
}
}
},
"repositoryConfigurations": {
"type": "object",
"properties": {
"All": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": ["STRING", "STRING_LIST", "DATE", "LONG"]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
},
"required": ["fieldMappings"]
}
},
"required": []
},
"additionalProperties": {
"type": "object",
"properties": {
"isCrawlAcl": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
},
"maxFileSizeInMegaBytes": {
"type": "string"
},
"fieldForUserId": {
"type": "string"
},
"exclusionPatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"inclusionPatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"crawlBotMessages": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
},
"excludeArchived": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
},
"conversationType": {
"type": "array",
"items": {
"type": "string",
"enum": [
"PUBLIC_CHANNEL",
"PRIVATE_CHANNEL",
"GROUP_MESSAGE",
"DIRECT_MESSAGE"
]
}
},
"channelFilter": {
"type": "object",
"properties": {
"private_channel": {
"type": "array",
"items": {
"type": "string"
}
},
"public_channel": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"channelIdFilter": {
"type": "array",
"items": {
"type": "string"
}
},
"sinceDate": {
"anyOf": [
{
"type": "string",
"pattern": "^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}Z$"
},
{
"type": "string",
"pattern": ""
}
]
},
"lookBack": {
"type": "string",
"pattern": "^[0-9]*$"
},
"enableDeletionProtection": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
],
"default": false
},
"deletionProtectionThreshold": {
"type": "string",
"default": "15"
}
},
"required": []
},
"version": {
"type": "string",
"anyOf": [
{
"pattern": "1.0.0"
}
]
},
"required": [
"type",
"secretArn",
"syncMode",
"enableIdentityCrawler",
"connectionConfiguration",
"repositoryConfigurations",
"additionalProperties"
]
}
}
```
## Slack JSON schema example
The following is the Slack JSON schema example:
```
{
"type": "SLACK",
"syncMode": "FULL_CRAWL",
"secretArn": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-slack-secret",
"enableIdentityCrawler": "true",
"connectionConfiguration": {
"repositoryEndpointMetadata": {
"teamId": "T12345678"
}
},
"repositoryConfigurations": {
"All": {
"fieldMappings": [
{
"indexFieldName": "message_id",
"indexFieldType": "STRING",
"dataSourceFieldName": "id",
"dateFieldFormat": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
]
}
},
"additionalProperties": {
"isCrawlAcl": "true",
"maxFileSizeInMegaBytes": "50",
"fieldForUserId": "user_id",
"exclusionPatterns": ["*.tmp"],
"inclusionPatterns": ["*"],
"crawlBotMessages": "false",
"excludeArchived": "true",
"conversationType": ["PUBLIC_CHANNEL", "PRIVATE_CHANNEL"],
"channelFilter": {
"private_channel": ["C12345678"],
"public_channel": ["C87654321"]
},
"channelIdFilter": ["C12345678"],
"sinceDate": "2023-01-01T00:00:00Z",
"lookBack": "7",
"enableDeletionProtection": "false",
"deletionProtectionThreshold": "15"
},
"version": "1.0.0"
}
```
# Connecting Amazon Q Business to Slack using AWS CloudFormation
You use the [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-datasource.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-datasource.html) resource to connect a data source to your Amazon Q application.
Use the [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-datasource.html#cfn-qbusiness-datasource-applicationid](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-qbusiness-datasource.html#cfn-qbusiness-datasource-applicationid) property to provide a JSON or YAML schema with the necessary configuration details specific to your data source connector.
To learn more about AWS CloudFormation, see [What is AWS CloudFormation?](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) in the *CloudFormation User Guide*.
**Topics**
+ [Slack configuration properties](#slack-configuration-keys)
+ [Slack JSON schema for using the configuration property with AWS CloudFormation](#slack-cfn-json)
+ [Slack YAML schema for using the configuration property with AWS CloudFormation](#slack-cfn-yaml)
## Slack configuration properties
The following provides information about important configuration properties required in the schema.
| Configuration | Description | Type | Required |
| --- | --- | --- | --- |
| `connectionConfiguration` | Configuration information for the endpoint for the data source. | `object` This property has the following sub-property: `repositoryEndpointMetadata`. | Yes |
| `repositoryEndpointMetadata` | The endpoint information for the data source. | `object` This property has the following sub-property: `teamId`. | Yes |
| `teamId` | The Slack team ID you copied from your Slack main page URL. | `string` | Yes |
| `repositoryConfigurations` | Configuration information for the content of the data source. For example, configuring specific types of content and field mappings. | `object` This property has the following sub-property: `All`. | No |
| `All` | A list of objects that map the attributes or field names of your Slack pages and assets to Amazon Q index field names. | `object` This property has the following sub-properties: `indexFieldName`, `indexFieldType`, `dataSourceFieldName`, and `dateFieldFormat`. | Yes |
| `indexFieldName` | The field name of your Slack pages and assets. | `string` | Yes |
| `indexFieldType` | The field type of your Slack pages and assets. | `string` The allowed values are `STRING`, `STRING_LIST`, and `DATE`. | Yes |
| `dataSourceFieldName` | The data source field name of your Slack pages and assets. | `string` | Yes |
| `dateFieldFormat` | The date format of your Slack pages and assets. | `string` Specify the date format in the form `yyyy-MM-dd'T'HH:mm:ss'Z'` | No |
| `additionalProperties` | Additional configuration options for your content in your data source. | `object` This property has the following sub-properties. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/slack-cfn.html) | Yes |
| `isCrawlAcl` | Specify true to crawl access control information from documents. Amazon Q Business crawls ACL information by default to ensure responses are generated only from documents your end users have access to. See [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization) for more details. | `boolean` | No |
| `maxFileSizeInMegaBytes` | Specify the maximum single file size limit in MBs that Amazon Q will crawl. Amazon Q will crawl only the files within the size limit you define. The default file size is 50MB. The maximum file size should be greater than 0MB and less than or equal to 50MB. | `string` | No |
| `fieldForUserId` | Specify field to use for UserId for ACL crawling. | `string` | No |
| `inclusionPatterns` | A list of regular expression patterns to include specific content in your Slack data source. Content that matches the patterns are included in the index. Content that doesn't match the patterns are excluded from the index. If any content matches both an inclusion and exclusion pattern, the exclusion pattern takes precedence, and the content isn't included in the index. | `array` | No |
| `exclusionPatterns` | A list of regular expression patterns to exclude specific content in your Slack data source. Content that matches the patterns are excluded from the index. Content that doesn't match the patterns are included in the index. If any content matches both an inclusion and exclusion pattern, the exclusion pattern takes precedence, and the content isn't included in the index. | `array` | No |
| `crawlBotMessages` | `true` to crawl Slack bot messages. | `boolean` | No |
| `excludeArchived` | `true` to exclude archived messages from crawl. | `boolean` | No |
| `conversationType` | The type of conversation that you want to index. | `string` Valid values are `PUBLIC_CHANNEL`, `PRIVATE_CHANNEL`, `GROUP_MESSAGE`, and `DIRECT_MESSAGE`. | No |
| `channelFilter` | The type of channel that you want to index whether private\$1channel or public\$1channel. | `object` This property has the following sub-properties: `private_channel` and `public_channel`. | No |
| `private_channel` | The IDs of the private channel that you want to index. | `array` | No |
| `public_channel` | The IDs of public channel that you want to index. | `array` | No |
| `channelIdFilter` | You can choose to crawl specific channels vy channel ID using the channelIdFilter. | `array` | No |
| `sinceDate` | You can choose to configure a sinceDate parameter so that the Slack connector crawls content based on a specific sinceDate. | `string` Specify the date in the form `^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}Z$` or as an empty string. | No |
| `lookBack` | You can choose to configure a lookBack parameter so that the Slack connector crawls lookBack content. | `string` Specify the value in the form `^[0-9]*$`. | No |
| `syncMode` | Specify whether Amazon Q should update your index by syncing all documents or only new, modified, and deleted documents. | `string` You can choose between the following options: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/slack-cfn.html) | Yes |
| `type` | The type of data source. Specify SLACK as your data source type. | `string` | Yes |
| `enableIdentityCrawler` | Specify true to use the Amazon Q identity crawler to sync identity/principal information on users and groups with access to specific documents. Amazon Q Business crawls identity information from your data source by default to ensure responses are generated only from documents end users have access to. For more information, see [Identity crawler](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-identity-crawler). | `boolean` | Yes |
| `secretArn` | The Amazon Resource Name (ARN) of an AWS Secrets Manager secret that contains the key-value pairs required to connect to your Slack. | `string` The secret must contain a JSON structure with the following keys: {
"slackToken": "token"
} | Yes |
| `version` | The version of this template that's currently supported. | `string` | No |
## Slack JSON schema for using the configuration property with AWS CloudFormation
The following is the Slack JSON schema and examples for the configuration property for AWS CloudFormation.
**Topics**
+ [Slack JSON schema for using the configuration property with AWS CloudFormation](#slack-cfn-json-schema)
+ [Slack JSON schema example for using the configuration property with AWS CloudFormation](#slack-cfn-json-example)
### Slack JSON schema for using the configuration property with AWS CloudFormation
The following is the Slack JSON schema for the configuration property for CloudFormation
```
{
"type": "object",
"properties": {
"type": {
"type": "string",
"pattern": "SLACK"
},
"syncMode": {
"type": "string",
"enum": ["FORCED_FULL_CRAWL", "FULL_CRAWL", "CHANGE_LOG"]
},
"secretArn": {
"type": "string"
},
"enableIdentityCrawler": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
},
"connectionConfiguration": {
"type": "object",
"properties": {
"repositoryEndpointMetadata": {
"type": "object",
"properties": {
"teamId": {
"type": "string"
}
},
"required": ["teamId"]
}
}
},
"repositoryConfigurations": {
"type": "object",
"properties": {
"All": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": ["STRING", "STRING_LIST", "DATE", "LONG"]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
},
"required": ["fieldMappings"]
}
},
"required": []
},
"additionalProperties": {
"type": "object",
"properties": {
"isCrawlAcl": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
},
"maxFileSizeInMegaBytes": {
"type": "string"
},
"fieldForUserId": {
"type": "string"
},
"exclusionPatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"inclusionPatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"crawlBotMessages": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
},
"excludeArchived": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
]
},
"conversationType": {
"type": "array",
"items": {
"type": "string",
"enum": [
"PUBLIC_CHANNEL",
"PRIVATE_CHANNEL",
"GROUP_MESSAGE",
"DIRECT_MESSAGE"
]
}
},
"channelFilter": {
"type": "object",
"properties": {
"private_channel": {
"type": "array",
"items": {
"type": "string"
}
},
"public_channel": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"channelIdFilter": {
"type": "array",
"items": {
"type": "string"
}
},
"sinceDate": {
"anyOf": [
{
"type": "string",
"pattern": "^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}Z$"
},
{
"type": "string",
"pattern": ""
}
]
},
"lookBack": {
"type": "string",
"pattern": "^[0-9]*$"
},
"enableDeletionProtection": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "string",
"enum": ["true", "false"]
}
],
"default": false
},
"deletionProtectionThreshold": {
"type": "string",
"default": "15"
}
},
"required": []
},
"version": {
"type": "string",
"anyOf": [
{
"pattern": "1.0.0"
}
]
},
"required": [
"type",
"secretArn",
"syncMode",
"enableIdentityCrawler",
"connectionConfiguration",
"repositoryConfigurations",
"additionalProperties"
]
}
}
```
### Slack JSON schema example for using the configuration property with AWS CloudFormation
The following is the Slack JSON schema example for the configuration property for CloudFormation
```
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "CloudFormation SLACK Data Source Template",
"Resources": {
"DataSourceSlack": {
"Type": "AWS::QBusiness::DataSource",
"Properties": {
"ApplicationId": "app12345-1234-1234-1234-123456789012",
"IndexId": "indx1234-1234-1234-1234-123456789012",
"DisplayName": "MySlackDataSource",
"RoleArn": "arn:aws:iam::123456789012:role/qbusiness-data-source-role",
"Configuration": {
"type": "SLACK",
"syncMode": "FULL_CRAWL",
"secretArn": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-slack-secret",
"enableIdentityCrawler": "true",
"connectionConfiguration": {
"repositoryEndpointMetadata": {
"teamId": "T12345678"
}
},
"repositoryConfigurations": {
"All": {
"fieldMappings": [
{
"indexFieldName": "message_id",
"indexFieldType": "STRING",
"dataSourceFieldName": "id",
"dateFieldFormat": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
]
}
},
"additionalProperties": {
"isCrawlAcl": "true",
"maxFileSizeInMegaBytes": "50",
"fieldForUserId": "user_id",
"exclusionPatterns": ["*.tmp"],
"inclusionPatterns": ["*"],
"crawlBotMessages": "false",
"excludeArchived": "true",
"conversationType": ["PUBLIC_CHANNEL", "PRIVATE_CHANNEL"],
"channelFilter": {
"private_channel": ["C12345678"],
"public_channel": ["C87654321"]
},
"channelIdFilter": ["C12345678"],
"sinceDate": "2023-01-01T00:00:00Z",
"lookBack": "7",
"enableDeletionProtection": "false",
"deletionProtectionThreshold": "15"
}
}
}
}
}
}
```
## Slack YAML schema for using the configuration property with AWS CloudFormation
The following is the Slack YAML schema and examples for the configuration property for AWS CloudFormation:
**Topics**
+ [Slack YAML schema for using the configuration property with AWS CloudFormation](#slack-cfn-yaml-schema)
+ [Slack YAML schema example for using the configuration property with AWS CloudFormation](#slack-cfn-yaml-example)
### Slack YAML schema for using the configuration property with AWS CloudFormation
The following is the Slack YAML schema for the configuration property for CloudFormation.
```
type: object
properties:
type:
type: string
pattern: SLACK
syncMode:
type: string
enum:
- FORCED_FULL_CRAWL
- FULL_CRAWL
- CHANGE_LOG
secretArn:
type: string
enableIdentityCrawler:
anyOf:
- type: boolean
- type: string
enum:
- true
- false
connectionConfiguration:
type: object
properties:
repositoryEndpointMetadata:
type: object
properties:
teamId:
type: string
required:
- teamId
repositoryConfigurations:
type: object
properties:
All:
type: object
properties:
fieldMappings:
type: array
items:
type: object
properties:
indexFieldName:
type: string
indexFieldType:
type: string
enum:
- STRING
- STRING_LIST
- DATE
- LONG
dataSourceFieldName:
type: string
dateFieldFormat:
type: string
pattern: "yyyy-MM-dd'T'HH:mm:ss'Z'"
required:
- indexFieldName
- indexFieldType
- dataSourceFieldName
required:
- fieldMappings
additionalProperties:
type: object
properties:
isCrawlAcl:
anyOf:
- type: boolean
- type: string
enum:
- true
- false
maxFileSizeInMegaBytes:
type: string
fieldForUserId:
type: string
exclusionPatterns:
type: array
items:
type: string
inclusionPatterns:
type: array
items:
type: string
crawlBotMessages:
anyOf:
- type: boolean
- type: string
enum:
- true
- false
excludeArchived:
anyOf:
- type: boolean
- type: string
enum:
- true
- false
conversationType:
type: array
items:
type: string
enum:
- PUBLIC_CHANNEL
- PRIVATE_CHANNEL
- GROUP_MESSAGE
- DIRECT_MESSAGE
channelFilter:
type: object
properties:
private_channel:
type: array
items:
type: string
public_channel:
type: array
items:
type: string
channelIdFilter:
type: array
items:
type: string
sinceDate:
anyOf:
- type: string
pattern: "^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}Z$"
- type: string
pattern: ""
lookBack:
type: string
pattern: "^[0-9]*$"
enableDeletionProtection:
anyOf:
- type: boolean
- type: string
enum:
- true
- false
default: false
deletionProtectionThreshold:
type: string
default: "15"
required: []
version:
type: string
anyOf:
- pattern: 1.0.0
required:
- type
- secretArn
- syncMode
- enableIdentityCrawler
- connectionConfiguration
- repositoryConfigurations
- additionalProperties
```
### Slack YAML schema example for using the configuration property with AWS CloudFormation
The following is the Slack YAML example for the Configuration property for CloudFormation:
```
AWSTemplateFormatVersion: "2010-09-09"
Description: CloudFormation SLACK Data Source Template
Resources:
DataSourceSlack:
Type: AWS::QBusiness::DataSource
Properties:
ApplicationId: app12345-1234-1234-1234-123456789012
IndexId: indx1234-1234-1234-1234-123456789012
DisplayName: MySlackDataSource
RoleArn: arn:aws:iam::123456789012:role/qbusiness-data-source-role
Configuration:
type: SLACK
syncMode: FULL_CRAWL
secretArn: arn:aws:secretsmanager:us-west-2:123456789012:secret:my-slack-secret
enableIdentityCrawler: "true"
connectionConfiguration:
repositoryEndpointMetadata:
teamId: T12345678
repositoryConfigurations:
All:
fieldMappings:
- indexFieldName: message_id
indexFieldType: STRING
dataSourceFieldName: id
dateFieldFormat: yyyy-MM-dd'T'HH:mm:ss'Z'
additionalProperties:
isCrawlAcl: "true"
maxFileSizeInMegaBytes: "50"
fieldForUserId: user_id
exclusionPatterns:
- "*.tmp"
inclusionPatterns:
- "*"
crawlBotMessages: "false"
excludeArchived: "true"
conversationType:
- PUBLIC_CHANNEL
- PRIVATE_CHANNEL
channelFilter:
private_channel:
- C12345678
public_channel:
- C87654321
channelIdFilter:
- C12345678
sinceDate: "2023-01-01T00:00:00Z"
lookBack: "7"
enableDeletionProtection: "false"
deletionProtectionThreshold: "15"
```
# How Amazon Q Business connector crawls Slack ACLs
Connectors support crawling ACL and identity information where applicable based on the data source. If you index documents without ACLs, all documents are considered public. Indexing documents with ACLs ensures data security.
Amazon Q Business supports crawling ACLs for document security by default.
Slack organizes content into documents, which include messages, attachments, posts, snippets, thread replies, and emojis. Messages and attachments can belong to different conversation types such as direct messages (DMs), public channels, or private channels.
When you connect a Slack data source to Amazon Q Business, Amazon Q Business crawls ACL information (channel IDs) attached to a document from your Slack instance. If you choose to activate ACL crawling, this information can be used to filter chat responses to your end user's document access level. Access Control (ACLs) in Slack is managed through users and groups.
**Identity Crawling**: Slack allows link sharing at the document level. If a document link is shared across different channels (DMs, groups, or private channels), the new channel ID is included during crawling, effectively expanding ACLs to include members of those channels. Slack does not enforce explicit deny rules: public channels allow user removal but do not prevent them from rejoining, whereas private channels restrict reentry without an invitation. The minimum permission to query channel data varies: for public channels, workspace membership is sufficient, while private channels require direct membership for access. Slack enforces username restrictions, supporting only lowercase letters, numbers, periods, hyphens, and underscores. This lowercase format is maintained when crawling identities. ACL mismatches can occur if case differences exist between Slack usernames and identity data stored in the connector, potentially preventing access to crawled information. When a user is deactivated or deleted, they lose access to crawled data, and subsequent syncs reflect this by removing the user from ACLs.
**Permission Inheritance**: The Slack Workspace is the top-most entity controlling access. All workspace members can access public channels by default. Public channels have no ACLs; they are accessible to all workspace members. If ACLs are disabled, all public channel content is open to everyone on Amazon Q. DMs, groups, and private channels have independent ACLs, which completely replace any parent ACLs. Private channels restrict access to invited members, including external collaborators via Slack Connect. All entities inherit permissions from the parent.
**Mapping Rules**: Slack's inheritance mapping follows its native structure without custom logic. Federated groups are treated as local upon syncing, with all members stored regardless of status. Emails, links, and other text within messages are crawled as regular strings without specific parsing. Link-sharing does not modify document ACLs: a shared link in a message is crawled as plain text rather than as an access control change. Public channels are accessible to all Amazon Q users if no ACL is applied.
**Failure handling**: The connector follows a fail-close approach, meaning if there are permission-related issues or API failures, affected documents are skipped from ingestion rather than being made publicly accessible. This prevents unauthorized access while maintaining data integrity.
For more information, see:
+ [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization)
+ [Identity crawler](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-identity-crawler)
+ [Understanding User Store](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-principal-store.html)
# Slack data source connector field mappings
To improve retrieved results and customize the end user chat experience, Amazon Q Business enables you to map document attributes from your data sources to fields in your Amazon Q index.
Amazon Q offers two kinds of attributes to map to index fields:
+ **Reserved or default** – Reserved attributes are based on document attributes that commonly occur in most data. You can use reserved attributes to map commonly occurring document attributes in your data source to Amazon Q index fields.
+ **Custom** – You can create custom attributes to map document attributes that are unique to your data to Amazon Q index fields.
When you connect Amazon Q to a data source, Amazon Q automatically maps specific data source document attributes to fields within an Amazon Q index. If a document attribute in your data source doesn't have a attribute mapping already available, or if you want to map additional document attributes to index fields, use the custom field mappings to specify how a data source attribute maps to an Amazon Q index field. You create field mappings by editing your data source after your application and retriever are created.
To learn more about document attributes and how they work in Amazon Q, see [Document attributes and types in Amazon Q](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/doc-attributes.html).
**Important**
Filtering using document attributes in chat is only supported through the API.
The Amazon Q Slack connector supports the following field mappings:
| Slack field name | Index field name | Description | Data type |
| --- | --- | --- | --- |
| size | sl\$1gen\$1size | Custom | Long (numeric) |
| emojis | sl\$1gen\$1emojis | Custom | String list |
| title | sl\$1gen\$1title | Custom | String |
| authors | \$1authors | Default | String list |
| url | \$1source\$1uri | Default | String |
| category | sl\$1gen\$1category | Custom | String |
| created\$1at | \$1created\$1at | Default | Date |
| last\$1updated\$1at | \$1last\$1updated\$1at | Default | Date |
| msg\$1channel\$1id | sl\$1message\$1channel\$1id | Custom | String |
| msg\$1channel\$1name | sl\$1msg\$1channel\$1name | Custom | String |
# IAM role for the Slack connector
If you use the AWS CLI or an AWS SDK, you must create an AWS Identity and Access Management (IAM) policy before you create an Amazon Q resource. When you call the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) operation, you provide the Amazon Resource Name (ARN) role with the policy attached.
If you use the AWS Management Console, you can create a new IAM role in the Amazon Q console or use an existing IAM role.
To learn more about IAM roles, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) in the *AWS Identity and Access Management User Guide*.
To connect your data source connector to Amazon Q, you must give Amazon Q an IAM role that has the following permissions:
+ Permission to access the `BatchPutDocument` and `BatchDeleteDocument` operations to ingest documents.
+ Permission to access the [User Store](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-principal-store.html) API operations to ingest user and group access control information from documents.
+ Permission to access your AWS Secrets Manager secret to authenticate your data source connector instance.
+ **(Optional)** If you're using Amazon VPC, permission to access your Amazon VPC.
```
{
"Version": "2012-10-17", ,
"Statement": [
{
"Sid": "AllowsAmazonQToGetSecret",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Sid": "AllowsAmazonQToDecryptSecret",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Sid": "AllowsAmazonQToIngestDocuments",
"Effect": "Allow",
"Action": [
"qbusiness:BatchPutDocument",
"qbusiness:BatchDeleteDocument"
],
"Resource": [
"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}",
"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/index/{{index_id}}"
]
},
{
"Sid": "AllowsAmazonQToIngestPrincipalMapping",
"Effect": "Allow",
"Action": [
"qbusiness:PutGroup",
"qbusiness:CreateUser",
"qbusiness:DeleteGroup",
"qbusiness:UpdateUser",
"qbusiness:ListGroups"
],
"Resource": [
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}",
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}",
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}/data-source/*"
]
},
{
"Sid": "AllowsAmazonQToCreateAndDeleteNI",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
],
"Resource": [
"arn:aws:ec2:{{region}}:{{account_id}}:subnet/[[subnet_ids]]",
"arn:aws:ec2:{{region}}:{{account_id}}:security-group/[[security_group]]"
]
},
{
"Sid": "AllowsAmazonQToCreateAndDeleteNIForSpecificTag",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringLike": {
"aws:RequestTag/AMAZON_Q": "qbusiness_{{account_id}}_{{application_id}}_*"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"AMAZON_Q"
]
}
}
},
{
"Sid": "AllowsAmazonQToCreateTags",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateNetworkInterface"
}
}
},
{
"Sid": "AllowsAmazonQToCreateNetworkInterfacePermission",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringLike": {
"aws:ResourceTag/AMAZON_Q": "qbusiness_{{account_id}}_{{application_id}}_*"
}
}
},
{
"Sid": "AllowsAmazonQToDescribeResourcesForVPC",
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeVpcs",
"ec2:DescribeRegions",
"ec2:DescribeNetworkInterfacePermissions",
"ec2:DescribeSubnets"
],
"Resource": "*"
}
]
}
```
**To allow Amazon Q to assume a role, you must also use the following trust policy:**
```
{
"Version": "2012-10-17", ,
"Statement": [
{
"Sid": "AllowsAmazonQServicePrincipal",
"Effect": "Allow",
"Principal": {
"Service": "qbusiness.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{source_account}}"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}"
}
}
}
]
}
```
For more information on Amazon Q data source connector IAM roles, see [IAM roles for Amazon Q data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds).