# Connecting Zendesk to Amazon Q Business
Zendesk is a customer relationship management system that helps businesses automate and enhance customer support interactions. You can connect a Zendesk instance to Amazon Q Business—using either the AWS Management Console or the [https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) API—and create an Amazon Q web experience.
**Topics**
+ [Known limitations for the Zendesk connector](zendesk-limitations.md)
+ [Zendesk connector overview](zendesk-overview.md)
+ [Prerequisites for connecting Amazon Q Business to Zendesk](zendesk-prereqs.md)
+ [Setting up Zendesk for connecting to Amazon Q Business](zendesk-credentials.md)
+ [Connecting Amazon Q Business to Zendesk using the console](zendesk-console.md)
+ [Connecting Amazon Q Business to Zendesk using APIs](zendesk-api.md)
+ [How Amazon Q Business connector crawls Zendesk ACLs](zendesk-user-management.md)
+ [ Zendesk data source connector field mappings](zendesk-field-mappings.md)
+ [IAM role for the Zendesk connector](zendesk-iam-role.md)
+ [Understand error codes in the Zendesk connector](zendesk-error-codes.md)
**Learn more**
+ For an overview of the Amazon Q web experience creation process using IAM Identity Center, see [Configuring an application using IAM Identity Center](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-application.html).
+ For an overview of the Amazon Q web experience creation process using AWS Identity and Access Management, see [Configuring an application using IAM](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-application-iam.html).
+ For an overview of connector features, see [Data source connector concepts](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html).
+ For information about connector configuration best practices, see [Connector configuration best practices](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-best-practices.html).
# Known limitations for the Zendesk connector
The Zendesk connector has the following known limitations:
+ Deleted and archived articles and their comments and attachments aren't supported in **Change log** mode since there are no SDK methods/REST API available for fetching deleted or archived articles.
+ Archived articles aren't supported in **Full Crawl** mode since there are no SDK methods/REST API available for fetching archived articles.
+ Deleted community topics, community posts, and their comments are not supported in **Change Log** mode since there are no SDK methods/REST API available for fetching deleted topics, deleted posts, and their comments.
+ The Zendesk connector can't fetch community topics (added, edited, or deleted), and community posts and their comments (added, edited, or deleted) based on timestamps in **Change log** mode.
+ When Access Control Lists (ACLs) are enabled, the "Sync only new or modified content" option is not available due to Zendesk API limitations. We recommend using "Full sync" or "New, modified, or deleted content sync" modes instead, or disable ACLs if you need to use this sync mode.
# Zendesk connector overview
The following table gives an overview of the Zendesk connector and its supported features.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/zendesk-overview.html)
# Prerequisites for connecting Amazon Q Business to Zendesk
Before you begin, make sure that you have completed the following prerequisites.
**In Zendesk, make sure you have:**
+ Created a Zendesk Suite (Professional/Enterprise) administrative account.
+ Copied your Zendesk host URL. For example, *https://\$1sub-domain\$1.zendesk.com/*. You need this URL to allow Amazon Q to connect with your Zendesk data source.
+ Generated Zendesk OAuth 2.0 with implicit grant credentials containing an implicit grant token.
+ Generated Zendesk OAuth 2.0 credentials containing a client ID, client secret, username, and password. You need these credentials to authenticate Amazon Q to access Zendesk.
**In your AWS account, make sure you have:**
+ Created a Amazon Q Business application.
+ Created a [Amazon Q Business retriever and added an index](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/select-retriever.html).
+ Created an [IAM role](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds) for your data source and, if using the Amazon Q API, noted the ARN of the IAM role.
+ Stored your Zendesk authentication credentials in an AWS Secrets Manager secret and, if using the Amazon Q API, noted the ARN of the secret.
**Note**
If you’re a console user, you can create the IAM role and Secrets Manager secret as part of configuring your Amazon Q application on the console.
For a list of things to consider while configuring your data source, see [ Data source connector configuration best practices](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-best-practices.html).
# Setting up Zendesk for connecting to Amazon Q Business
Before you connect Zendesk to Amazon Q Business, you need to create and retrieve the Zendesk credentials you will use to connect Zendesk to Amazon Q. You will also need to add any authorization permissions needed by Zendesk to connect to Amazon Q.
The following procedure gives you an overview of how to configure Zendesk for Amazon Q.
**Configuring Zendesk for OAuth 2.0 authentication**
1. Log in to your Zendesk account. Note the username and password you logged in with. You will need them later to connect to Amazon Q.
1. Copy your Zendesk URL, if you haven't already, from the Zendesk webpage URL. This will be the URL you will input as host URL in Amazon Q.
**Note**
You can also copy your Zendesk host URL from the top menu in the **Admin Center**.
1. From the left navigation menu, choose the settings icon. Then, choose **Go to Admin Center**.
![\[Screenshot of the Zendesk admin interface showing the profile menu where users can access the Admin Center.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/zendesk-1.png)
1. In **Admin Center**, from the left navigation menu, under **Apps and integrations**, choose **Zendesk API**.
![\[Screenshot of the Zendesk Admin Center showing the left navigation menu with the "Zendesk API" option under "Apps and integrations" section.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/zendesk-2.png)
1. From the **Zendesk API** menu, choose **OAuth Clients** and then choose **Add OAuth client**.
![\[Screenshot of the Zendesk API menu showing the "OAuth Clients" option and the "Add OAuth client" button for creating a new OAuth client.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/zendesk-3.png)
1. On the **OAuth Clients** page, under **Create a new OAuth client** enter the following information:
+ **Client name** – A human-readable name for your client. This will be visible to users.
+ **Unique identifier** – An internal code-level identifier for your client. This will be the Client ID you input in Amazon Q.
Optionally, choose to fill in other information based on your use case. Then, choose **Save**.
![\[Screenshot of the Zendesk "Create a new OAuth client" form where users enter client name, redirect URL, and other configuration details for the OAuth client.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/zendesk-4.png)
1. On the **Please store the secret that will appear** dialog box that appears, select **OK**. Then, copy the secret you see into a text editor of your choice and save it. You won't be able to re-generate this secret so it's important that you store it securely. You will input this as the client secret during the connection configuration process in Amazon Q.
![\[Screenshot of the Zendesk client secret dialog box showing the generated secret that needs to be copied and stored securely for API authentication.\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/images/zendesk-5.png)
You now have the username, password, host URL, client ID, and client secret you need to connect Zendesk to Amazon Q.
# Connecting Amazon Q Business to Zendesk using the console
The following procedure outlines how to connect Amazon Q Business to Zendesk using the AWS Management Console.
**Connecting Amazon Q to Zendesk**
1. Sign in to the AWS Management Console and open the Amazon Q Business console.
1. From the left navigation menu, choose **Data sources**.
1. From the **Data sources** page, choose **Add data source**.
1. Then, on the **Add data sources** page, from **Data sources**, add the **Zendesk** data source to your Amazon Q application.
1. Then, on the **Zendesk** data source page, enter the following information:
1. **Name and description**, do the following:
+ For **Data source name** – Name your data source for easy tracking.
**Note**
You can include hyphens (-) but not spaces. Maximum of 1,000 alphanumeric characters.
+ **Description – *optional*** – Add an optional description for your data source. This text is viewed only by Amazon Q Business administrators and can be edited later.
1. **Source** – Enter your ** Zendesk URL**. For example, *https://\$1sub-domain\$1.zendesk.com/*.
1. **Authorization** – Amazon Q Business crawls ACL information by default to ensure responses are generated only from documents your end users have access to. If supported for your connector, you can manage ACLs by selecting ** Enable ACLs ** to enable ACLs or **Disable ACLs** to disable them. To manage ACLs, you need specific IAM permissions. See [Grant permission to create data sources with ACLs disabled](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/setting-up.html#DisableAclOnDataSource) for more details. See [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization) for more details.
1. Authentication for existing Zendesk customers: Enter a name for your secret, a client ID, client secret, username, and password.
1. Authentication for new customers since 30 July 2024:
1. Register the application with Zendesk and follow their procedure: [Using OAuth authentication with your application](https://support.zendesk.com/hc/en-us/articles/4408845965210-Using-OAuth-authentication-with-your-application)
1. Set Client kind to Confidential.
1. For Redirect URL Enter the URL that Zendesk should use to grant access to the application. The URLs must be absolute and not relative. You can use localhost: `http://localhost` or `http://127.0.0.1`.
1. Implement an OAuth authorization flow:
1. Zendesk supports the authorization code grant flow to get access tokens. (Other grant flows have been deprecated.)
1. The flow doesn't use refresh tokens. The access token doesn't expire.
1. To get an authorization code, register users on the Zendesk authorization page: `https://{subdomain}.zendesk.com/oauth/authorizations/new`. Use the following parameters:
1. `response_type` - Zendesk returns an authorization code in the response, so specify code as the response type. For example: response\$1type=code.
1. `redirect_url` - The URL, which can be local, that Zendesk should use to send the user's decision to grant access to your application. For example: `http://localhost` or `http://127.0.0.1`.
1. `client_id` - The unique identifier obtained after registering the application with Zendesk.
1. `scope` - A space-separated list of scopes that control access to the Zendesk resources.
1. After this, Zendesk will ask for user approval. Once approved it will respond with an authorization code.
1. Obtain an access token from Zendesk. Include the following parameters in the request:
1. `grant_type` - Specify `authorization_code` as the value.
1. `code` - Use the authorization code received from Zendesk after the user has been granted access.
1. `client_id` - Use the unique identifier specified in an OAuth client in the Support admin interface Admin > Channels > API > OAuth Clients.
1. `client_secret` - Use the secret specified in an OAuth client in the Support admin interface Admin > Channels > API > OAuth Clients).
1. `redirect_uri` - The URL, which can be local, that Zendesk should use to send the user's decision to grant access to your application. For example: `http://localhost` or `http://127.0.0.1`.
1. `scope` – A space-separated list of scopes that control access to the Zendesk resources.
For example:
```
curl https://{subdomain}.zendesk.com/oauth/tokens \
-H "Content-Type: application/json" \
-d '{"grant_type": "authorization_code", "code": "{your_code}",
"client_id": "{your_client_id}", "client_secret": "{your_client_secret}",
"redirect_uri": "{your_redirect_url}", "scope": "read" }' \
-X POST
```
1. Use the access token in API calls.
1. **Configure VPC and security group – *optional*** – Choose whether you want to use a VPC. If you do, enter the following information:
1. **Subnets** – Select up to 6 repository subnets that define the subnets and IP ranges the repository instance uses in the selected VPC.
1. **VPC security groups** – Choose up to 10 security groups that allow access to your data source. Ensure that the security group allows incoming traffic from Amazon EC2 instances and devices outside your VPC. For databases, security group instances are required.
For more information, see [VPC](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-vpc).
1. **IAM role** – Choose an existing IAM role or create an IAM role to access your repository credentials and index content.
**Note**
Creating a new service IAM role is recommended.
For more information, see [IAM role](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/zendesk-connector.html#zendesk-iam).
1. **Sync scope** – Set the content that you want to sync.
1. For **Maximum file size** – Specify the file size limit in MBs that Amazon Q will crawl. Amazon Q will crawl only the files within the size limit you define. The default file size is 50MB. The maximum file size should be greater than 0MB and less than or equal to 50MB.
1. **Additional configuration – optional** – Configure the following settings:
+ **Change log** – Select to update your index instead of syncing all your files.
+ **Organization name** – Enter the Zendesk organization names to filter your sync.
+ **Sync start date** – The date from which you want to index your content.
+ **Regex patterns** – Regular expression patterns to include or exclude certain files. You can add up to 100 patterns.
1. **Advanced settings**
**Document deletion safeguard** - *optional*–To safeguard your documents from deletion during a sync job, select **On** and enter an integer between 0 - 100. If the percentage of documents to be deleted in your sync job exceeds the percentage you selected, the delete phase will be skipped and no documents from this data source will be deleted from your index. For more information, see [Document deletion safeguard](connector-concepts.md#document-deletion-safeguard).
1. In **Sync run schedule**, for **Frequency** – Choose how often Amazon Q will sync with your data source. For more details, see [Sync run schedule](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-sync-run). To learn how to start a data sync job, see [Starting data source connector sync jobs](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/supported-datasource-actions.html#start-datasource-sync-jobs).
1. **Tags - *optional*** – Add tags to search and filter your resources or track your AWS costs. See [Tags](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/tagging.html) for more details.
1. **Field mappings** – A list of data source document attributes to map to your index fields.
**Note**
Add or update the fields from the **Data source details** page after you finish adding your data source. You can choose from two types of fields:
1. **Default** – Automatically created by Amazon Q on your behalf based on common fields in your data source. You can't edit these.
1. **Custom** – Automatically created by Amazon Q on your behalf based on common fields in your data source. You can edit these. You can also create and add new custom fields.
**Note**
Support for adding custom fields varies by connector. You won't see the **Add field** option if your connector doesn't support adding custom fields.
For more information, see [Field mappings](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-field-mappings).
1. In **Data source details**, choose **Sync now** to allow Amazon Q to begin syncing (crawling and ingesting) data from your data source. When the sync job finishes, your data source is ready to use.
**Note**
View CloudWatch logs for your data source sync job by selecting **View CloudWatch logs**. If you encounter a `Resource not found exception` error, wait and try again as logs may not be available immediately.
You can also view a detailed document-level report by selecting **View Report**. This report shows the status of each document during the crawl, sync, and index stages, including any errors. If the report is empty for an in-progress job, check back later as data is emitted to the report as events occur during the sync process.
For more information, see [Troubleshooting data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/troubleshooting-data-sources.html#troubleshooting-data-sources-not-indexed).
# Connecting Amazon Q Business to Zendesk using APIs
You use the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) action to connect a data source to your Amazon Q application. You can also use the [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) action to modify an existing data source configuration.
Then, you use the `configuration` parameter to provide a JSON blob that conforms the AWS-defined JSON schema.
For an example of the API request, see [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) and [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) in the Amazon Q API Reference.
## JSON schema
The following is the Zendesk JSON schema:
```
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"connectionConfiguration": {
"type": "object",
"properties": {
"repositoryEndpointMetadata": {
"type": "object",
"properties": {
"hostUrl": {
"type": "string",
"pattern": "https:.*"
}
},
"required": [
"hostUrl"
]
}
},
"required": [
"repositoryEndpointMetadata"
]
},
"repositoryConfigurations": {
"type": "object",
"properties": {
"ticket": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": {
"anyOf": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": ["STRING", "STRING_LIST", "LONG", "DATE"]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "dd-MM-yyyy HH:mm:ss"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
}
},
"required": [
"fieldMappings"
]
},
"ticketComment": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": {
"anyOf": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": ["STRING", "STRING_LIST", "LONG", "DATE"]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "dd-MM-yyyy HH:mm:ss"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
}
},
"required": [
"fieldMappings"
]
},
"ticketCommentAttachment": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": {
"anyOf": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": ["STRING", "STRING_LIST", "LONG", "DATE"]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "dd-MM-yyyy HH:mm:ss"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
}
},
"required": [
"fieldMappings"
]
},
"article": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": {
"anyOf": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": ["STRING", "STRING_LIST", "LONG", "DATE"]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "dd-MM-yyyy HH:mm:ss"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
}
},
"required": [
"fieldMappings"
]
},
"communityPostComment": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": {
"anyOf": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": ["STRING", "STRING_LIST", "LONG", "DATE"]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "dd-MM-yyyy HH:mm:ss"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
}
},
"required": [
"fieldMappings"
]
},
"articleComment": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": {
"anyOf": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": ["STRING", "STRING_LIST", "LONG", "DATE"]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "dd-MM-yyyy HH:mm:ss"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
}
},
"required": [
"fieldMappings"
]
},
"articleAttachment": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": {
"anyOf": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": ["STRING", "STRING_LIST", "LONG", "DATE"]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "dd-MM-yyyy HH:mm:ss"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
}
},
"required": [
"fieldMappings"
]
},
"communityTopic": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": {
"anyOf": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": ["STRING", "STRING_LIST", "LONG", "DATE"]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "dd-MM-yyyy HH:mm:ss"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
}
},
"required": [
"fieldMappings"
]
}
}
},
"secretArn": {
"type": "string",
"minLength": 20,
"maxLength": 2048
},
"additionalProperties": {
"type": "object",
"properties": {
"isCrawlAcl": {
"type": "boolean"
},
"maxFileSizeInMegaBytes": {
"type": "string"
},
"fieldForUserId": {
"type": "string"
},
"organizationNameFilter": {
"type": "array"
},
"sinceDate": {
"type": "string",
"pattern": "^[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}$"
},
"inclusionPatterns": {
"type": "array"
},
"exclusionPatterns": {
"type": "array"
},
"isCrawTicket": {
"type": "string"
},
"isCrawTicketComment": {
"type": "string"
},
"isCrawTicketCommentAttachment": {
"type": "string"
},
"isCrawlArticle": {
"type": "string"
},
"isCrawlArticleAttachment": {
"type": "string"
},
"isCrawlArticleComment": {
"type": "string"
},
"isCrawlCommunityTopic": {
"type": "string"
},
"isCrawlCommunityPost": {
"type": "string"
},
"isCrawlCommunityPostComment": {
"type": "string"
}
}
},
"type": {
"type": "string",
"pattern": "ZENDESK"
},
"syncMode": {
"type": "string",
"enum": [
"FULL_CRAWL",
"FORCED_FULL_CRAWL",
"CHANGE_LOG"
]
},
"enableIdentityCrawler": {
"type": "boolean"
}
},
"version": {
"type": "string",
"anyOf": [
{
"pattern": "1.0.0"
}
]
},
"additionalProperties": false,
"required": [
"connectionConfiguration",
"repositoryConfigurations",
"additionalProperties",
"syncMode",
"secretArn",
"type"
]
}
```
The following table provides information about important JSON keys to configure.
| Configuration | Description |
| --- | --- |
| connectionConfiguration | Configuration information for the endpoint of the data source. |
| repositoryEndpointMetadata | The endpoint information for the data source. |
| hostURL | The Zendesk host URL. For example, https://yoursubdomain.zendesk.com. |
| repositoryConfigurations | Configuration information for the content of the data source. For example, configuring specific types of content and field mappings. |
| [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/zendesk-api.html) | A list of Zendesk objects and their metadata attributes that Amazon Q crawls and maps to Amazon Q index field names. The Zendesk data source field names must exist in your Zendesk custom metadata. |
| secretARN | The Amazon Resource Name (ARN) of an AWS Secrets Manager secret that contains the key-value pairs required to connect to your Zendesk. The secret must contain a JSON structure with the following keys: host URL, client ID, client secret, username, and password. |
| additionalProperties | Additional configuration options for your content in your data source. |
| isCrawlAcl | true to crawl Access Control Lists. Amazon Q Business crawls ACL information by default to ensure responses are generated only from documents your end users have access to. See [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization) for more details. |
| maxFileSizeInMegaBytes | Specify the maximum single file size limit in MBs that Amazon Q will crawl. Amazon Q will crawl only the files within the size limit you define. The default file size is 50MB. The maximum file size should be greater than 0MB and less than or equal to 50MB. |
| fieldForUserId | Specify field to use for UserId for ACL crawling. |
| organizationFilter | If you want, you can choose to index tickets that exist within a specific Organization |
| sinceDate | If you want, you can configure a sinceDate parameter so that the Zendesk connector will crawl based on the sinceDate. |
| inclusionPatterns | A list of regular expression patterns to include specific files in your Zendesk data source. Files that match the patterns are included in the index. Files that don't match the patterns are excluded from the index. If a file matches both an inclusion and exclusion pattern, the exclusion pattern takes precedence, and the file isn't included in the index. |
| exclusionPatterns | A list of regular expression patterns to exclude specific files in your Zendesk data source. Files that match the patterns are excluded from the index. Files that don't match the patterns are included in the index. If a file matches both an exclusion and inclusion pattern, the exclusion pattern takes precedence, and the file isn't included in the index. |
| [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/zendesk-api.html) | Input true to index these types of content. |
| type | Specify ZENDESK as your data source type. |
| syncMode | Specify whether Amazon Q should update your index by syncing all documents or only new, modified, and deleted documents. You can choose between the following options: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/zendesk-api.html) |
| enableIdentityCrawler | Specify true to activate identity crawler. Identity crawler is activated by default. Crawling identity information on users and groups with access to certain documents is useful for user context filtering. Search results are filtered based on the user or their group access to documents. Amazon Q Business crawls identity information from your data source by default to ensure responses are generated only from documents end users have access to. For more information, see [Identity crawler](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-identity-crawler). |
| version | The version of the template that's currently supported. |
# How Amazon Q Business connector crawls Zendesk ACLs
Connectors support crawling ACL and identity information where applicable based on the data source. If you index documents without ACLs, all documents are considered public. Indexing documents with ACLs ensures data security.
Amazon Q Business supports crawling ACLs for document security by default.
When you connect an Zendesk data source to Amazon Q Business, Amazon Q Business crawls ACL information attached to a document (user and group information) from your Zendesk instance. If you choose to activate ACL crawling, the information can be used to filter chat responses to your end users' document access level.
The Zendesk connector supports enabling or disabling data ingestion for various entities including Tickets, Ticket Comments, Ticket Comment Attachments, Articles, Article Attachments, Article Comments, Community Topics, Community Posts, and Community Post Comments. For Ticket Comment Attachments and Article Attachments, the Zendesk connector allows applying include/exclude patterns based on file types, enabling more granular control over which attachments are ingested into Amazon Q Business.
**Roles/Permissions**: Zendesk roles define user permissions within the platform, including Admins, Agents, Light Agents, End Users, and Guide Admins. Admins have full control over settings, user management, and content access. Agents handle tickets, respond to customer queries, and may have restricted access based on group assignments. Light Agents can view and comment on tickets internally but cannot interact with customers. End Users are customers who can submit and track tickets. Guide Admins manage knowledge base content, including articles and community posts. Access control is determined by roles, groups, organizations, and user segments, ensuring the right level of visibility and permissions across the system. The Zendesk connector translates these roles into Amazon Q Business compatible ACLs, supporting View (Read), Edit, and Delete permissions.
**Identity Crawling**: The connector ensures accurate synchronization of user access control by retrieving and updating user identities, groups, and permissions. During this process, it fetches users from Zendesk Organizations, Groups, and User Segments, aligning them with the correct Access Control Lists (ACLs) in Amazon Q Business. This allows for consistent enforcement of role-based access, ensuring that users can only view content they are permitted to access. Additionally, identity crawling updates group memberships dynamically, reflecting changes in user roles, suspended accounts, and newly assigned permissions during scheduled syncs.
**Permissions Inheritance**: In Zendesk, permission inheritance varies across data source entities such as tickets, articles, and community content. For tickets, permissions are inherited based on roles (Requester, Assignee, Follower) and group or organization membership. Permissions for comments, notes and attachments of tickets are inherited from parent. Community topics and posts inherit permissions from assigned user segments, but Admins and Guide Admins have universal access.
**Change Management**: Change Log Mode in Amazon Q Business enables incremental updates by capturing modifications made to content in Zendesk. Instead of re-indexing all documents, it indexes only newly added, updated, or deleted items since the last crawl. Any changes to user or group access permissions are also recorded, ensuring accurate and up-to-date indexing. However, change log sync does not update ACLs for suspended or reactivated users.
**Failure Handling**: The connector follows a fail-close approach, meaning if there are permission-related issues or API failures, affected documents are skipped from ingestion rather than being made publicly accessible. This prevents unauthorized access while maintaining data integrity.
For more information, see:
+ [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization)
+ [Identity crawler](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-identity-crawler)
+ [Understanding User Store](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-principal-store.html)
# Zendesk data source connector field mappings
To improve retrieved results and customize the end user chat experience, Amazon Q Business enables you to map document attributes from your data sources to fields in your Amazon Q index.
Amazon Q offers two kinds of attributes to map to index fields:
+ **Reserved or default** – Reserved attributes are based on document attributes that commonly occur in most data. You can use reserved attributes to map commonly occurring document attributes in your data source to Amazon Q index fields.
+ **Custom** – You can create custom attributes to map document attributes that are unique to your data to Amazon Q index fields.
When you connect Amazon Q to a data source, Amazon Q automatically maps specific data source document attributes to fields within an Amazon Q index. If a document attribute in your data source doesn't have a attribute mapping already available, or if you want to map additional document attributes to index fields, use the custom field mappings to specify how a data source attribute maps to an Amazon Q index field. You create field mappings by editing your data source after your application and retriever are created.
To learn more about document attributes and how they work in Amazon Q, see [Document attributes and types in Amazon Q](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/doc-attributes.html).
**Important**
Filtering using document attributes in chat is only supported through the API.
The Amazon Q Zendesk connector supports the following entities and the associated reserved and custom attributes.
**Topics**
+ [Tickets](#zendesk-field-mappings-tickets)
+ [Ticket comments](#zendesk-field-mappings-ticket-comments)
+ [Ticket comment attachment](#zendesk-field-mappings-ticket-comment-attachment)
+ [Article](#zendesk-field-mappings-article)
+ [Article comment](#zendesk-field-mappings-article-comment)
+ [Article comment attachment](#zendesk-field-mappings-article-comment-attachment)
+ [Community topic](#zendesk-field-mappings-community-topic)
+ [Community post](#zendesk-field-mappings-community-post)
+ [Community post comment](#zendesk-field-mappings-community-post-comment)
## Tickets
Amazon Q supports crawling [Zendesk Tickets](https://developer.zendesk.com/api-reference/ticketing/tickets/tickets/) and offers the following ticket field mappings.
| Zendesk field name | Index field name | Description | Data type |
| --- | --- | --- | --- |
| ticketChannel | zd-channel | Custom | String |
| category | \$1category | Default | String |
| authors | \$1authors | Default | String list |
| assignee | zd\$1assignee | Custom | String |
| tags | zd\$1tags | Custom | String list |
| status | zd\$1status | Custom | String |
| sourceUrl | \$1source\$1uri | Default | String |
| createdAt | \$1created\$1at | Default | Date |
| updatedAt | \$1last\$1updated\$1at | Default | Date |
| organizationName | zd\$1organization\$1name | Custom | String |
## Ticket comments
Amazon Q supports crawling [Zendesk Ticket Comments](https://developer.zendesk.com/api-reference/ticketing/tickets/ticket_comments/) and offers the following ticket comment field mappings.
| Zendesk field name | Index field name | Description | Data type |
| --- | --- | --- | --- |
| category | \$1category | Default | String |
| authors | \$1authors | Default | String list |
| status | zd\$1status | Custom | String |
| sourceUrl | \$1source\$1uri | Default | String |
| createdAt | \$1created\$1at | Default | Date |
| updatedAt | \$1last\$1updated\$1at | Default | Date |
| organizationName | zd\$1organization\$1name | Custom | String |
## Ticket comment attachment
Amazon Q supports crawling [Zendesk Ticket Comment Attachments](https://developer.zendesk.com/api-reference/ticketing/tickets/ticket-attachments/) and offers the following ticket comment attachment field mappings.
| Zendesk field name | Index field name | Description | Data type |
| --- | --- | --- | --- |
| category | \$1category | Default | String |
| authors | \$1authors | Default | String list |
| status | zd\$1status | Custom | String |
| sourceUrl | \$1source\$1uri | Default | String |
| createdAt | \$1created\$1at | Default | Date |
| updatedAt | \$1last\$1updated\$1at | Default | Date |
| organizationName | zd\$1organization\$1name | Custom | String |
## Article
Amazon Q supports crawling [Zendesk Articles](https://developer.zendesk.com/api-reference/help_center/help-center-api/articles/) and offers the following article field mappings.
| Zendesk field name | Index field name | Description | Data type |
| --- | --- | --- | --- |
| authors | \$1authors | Default | String list |
| labels | zd\$1article\$1labels | Custom | String list |
| section | zd\$1article\$1section | Custom | String list |
| sourceUrl | \$1source\$1uri | Default | String |
| createdAt | \$1created\$1at | Default | Date |
| updatedAt | \$1last\$1updated\$1at | Default | Date |
## Article comment
Amazon Q supports crawling [Zendesk Article Comments](https://developer.zendesk.com/api-reference/help_center/help-center-api/article_comments/) and offers the following article comment field mappings.
| Zendesk field name | Index field name | Description | Data type |
| --- | --- | --- | --- |
| authors | \$1authors | Default | String list |
| labels | zd\$1article\$1labels | Custom | String list |
| section | zd\$1article\$1section | Custom | String list |
| sourceUrl | \$1source\$1uri | Default | String |
| createdAt | \$1created\$1at | Default | Date |
| updatedAt | \$1last\$1updated\$1at | Default | Date |
## Article comment attachment
Amazon Q supports crawling [Zendesk Article Comment Attachments](https://developer.zendesk.com/api-reference/ticketing/tickets/ticket-attachments/) and offers the following article comment attachment field mappings.
| Zendesk field name | Index field name | Description | Data type |
| --- | --- | --- | --- |
| authors | \$1authors | Default | String list |
| labels | zd\$1article\$1labels | Custom | String list |
| fileName | zd\$1file\$1name | Custom | String |
| fileType | \$1file\$1type | Default | String |
| fileSize | zd\$1file\$1size | Custom | Long (numeric) |
| section | zd\$1article\$1section | Custom | String list |
| sourceUrl | \$1source\$1uri | Default | String |
| createdAt | \$1created\$1at | Default | Date |
| updatedAt | \$1last\$1updated\$1at | Default | Date |
## Community topic
Amazon Q supports crawling [Zendesk Community Topics](https://developer.zendesk.com/api-reference/help_center/help-center-templates/community_topic_page/) and offers the following community topic field mappings.
| Zendesk field name | Index field name | Description | Data type |
| --- | --- | --- | --- |
| topicName | zd\$1topic\$1name | Custom | String |
| sourceUrl | \$1source\$1uri | Default | String |
| createdAt | \$1created\$1at | Default | Date |
| updatedAt | \$1last\$1updated\$1at | Default | Date |
| category | \$1category | Default | String |
## Community post
Amazon Q supports crawling [Zendesk Community Posts](https://developer.zendesk.com/api-reference/help_center/help-center-templates/community_post_page/) and offers the following community post field mappings.
| Zendesk field name | Index field name | Description | Data type |
| --- | --- | --- | --- |
| postName | zd\$1post\$1name | Custom | String |
| topicName | zd\$1topic\$1name | Custom | String |
| sourceUrl | \$1source\$1uri | Default | String |
| createdAt | \$1created\$1at | Default | Date |
| updatedAt | \$1last\$1updated\$1at | Default | Date |
| category | \$1category | Default | String |
## Community post comment
Amazon Q supports crawling [Zendesk Community Post Comments](https://developer.zendesk.com/api-reference/help_center/help-center-api/post_comments/) and offers the following community post comment field mappings.
| Zendesk field name | Index field name | Description | Data type |
| --- | --- | --- | --- |
| postName | zd\$1post\$1name | Custom | String |
| topicName | zd\$1topic\$1name | Custom | String |
| sourceUrl | \$1source\$1uri | Default | String |
| createdAt | \$1created\$1at | Default | Date |
| updatedAt | \$1last\$1updated\$1at | Default | Date |
| category | \$1category | Default | String |
# IAM role for the Zendesk connector
If you use the AWS CLI or an AWS SDK, you must create an AWS Identity and Access Management (IAM) policy before you create an Amazon Q resource. When you call the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) operation, you provide the Amazon Resource Name (ARN) role with the policy attached.
If you use the AWS Management Console, you can create a new IAM role in the Amazon Q console or use an existing IAM role.
To learn more about IAM roles, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) in the *AWS Identity and Access Management User Guide*.
To connect your data source connector to Amazon Q, you must give Amazon Q an IAM role that has the following permissions:
+ Permission to access the `BatchPutDocument` and `BatchDeleteDocument` operations to ingest documents.
+ Permission to access the [User Store](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-principal-store.html) API operations to ingest user and group access control information from documents.
+ Permission to access your AWS Secrets Manager secret to authenticate your data source connector instance.
+ **(Optional)** If you're using Amazon VPC, permission to access your Amazon VPC.
```
{
"Version": "2012-10-17", ,
"Statement": [
{
"Sid": "AllowsAmazonQToGetSecret",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Sid": "AllowsAmazonQToDecryptSecret",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Sid": "AllowsAmazonQToIngestDocuments",
"Effect": "Allow",
"Action": [
"qbusiness:BatchPutDocument",
"qbusiness:BatchDeleteDocument"
],
"Resource": [
"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}",
"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/index/{{index_id}}"
]
},
{
"Sid": "AllowsAmazonQToIngestPrincipalMapping",
"Effect": "Allow",
"Action": [
"qbusiness:PutGroup",
"qbusiness:CreateUser",
"qbusiness:DeleteGroup",
"qbusiness:UpdateUser",
"qbusiness:ListGroups"
],
"Resource": [
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}",
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}",
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}/data-source/*"
]
},
{
"Sid": "AllowsAmazonQToCreateAndDeleteNI",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
],
"Resource": [
"arn:aws:ec2:{{region}}:{{account_id}}:subnet/[[subnet_ids]]",
"arn:aws:ec2:{{region}}:{{account_id}}:security-group/[[security_group]]"
]
},
{
"Sid": "AllowsAmazonQToCreateAndDeleteNIForSpecificTag",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringLike": {
"aws:RequestTag/AMAZON_Q": "qbusiness_{{account_id}}_{{application_id}}_*"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"AMAZON_Q"
]
}
}
},
{
"Sid": "AllowsAmazonQToCreateTags",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateNetworkInterface"
}
}
},
{
"Sid": "AllowsAmazonQToCreateNetworkInterfacePermission",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringLike": {
"aws:ResourceTag/AMAZON_Q": "qbusiness_{{account_id}}_{{application_id}}_*"
}
}
},
{
"Sid": "AllowsAmazonQToDescribeResourcesForVPC",
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeVpcs",
"ec2:DescribeRegions",
"ec2:DescribeNetworkInterfacePermissions",
"ec2:DescribeSubnets"
],
"Resource": "*"
}
]
}
```
**To allow Amazon Q to assume a role, you must also use the following trust policy:**
```
{
"Version": "2012-10-17", ,
"Statement": [
{
"Sid": "AllowsAmazonQServicePrincipal",
"Effect": "Allow",
"Principal": {
"Service": "qbusiness.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{source_account}}"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}"
}
}
}
]
}
```
For more information on Amazon Q data source connector IAM roles, see [IAM roles for Amazon Q data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds).
# Understand error codes in the Zendesk connector
The following table provides information about error codes you may see for the Zendesk connector and suggested resolutions.
| Error code | Error message | Suggested resolution |
| --- | --- | --- |
| ZND-5001 | Error validating credentials due to invalid username or password. | Provide a valid username/password. |
| ZND-5002 | Error validating credentials due to invalid client Id or client Secret. | Provide a valid Zendesk client Id or client Secret. |
| ZND-5100 | The host URL is null or empty. | Provide a valid host Url. |
| ZND-5101 | The username is null or empty. | Provide a valid username. |
| ZND-5102 | The password is null or empty. | Provide a valid password. |
| ZND-5103 | The Zendesk client Id is null or empty. | Provide a valid client Id. |
| ZND-5104 | The Zendesk client Secret is null or empty. | Provide a valid client Secret. |
| ZND-5105 | Invalid date format for field 'sinceDate'. | Date format should be yyyy-MM-dd HH:mm:ss. |
| ZND-5106 | Invalid value for field 'sinceDate'. | Since date should not be greater than the current date. |
| ZND-5107 | The datatype for the index field is invalid. | Only String, Date and Long formats are supported for field mappings. |
| ZND-5108 | The isCrawTicket value is invalid. | isCrawTicket should be a boolean value true or false. |
| ZND-5109 | The isCrawTicketComment value is invalid. | isCrawTicketComment should be a boolean value true or false. |
| ZND-5110 | The isCrawTicketCommentAttachment value is invalid. | isCrawTicketCommentAttachment should be a boolean value true or false. |
| ZND-5111 | The isCrawlArticle value is invalid. | isCrawlArticle should be a boolean value true or false. |
| ZND-5112 | The isCrawlArticleComment value is invalid. | isCrawlArticleComment should be a boolean value true or false. |
| ZND-5113 | The isCrawlArticleAttachment value is invalid. | isCrawlArticleAttachment should be a boolean value true or false. |
| ZND-5114 | The isCrawlCommunityTopic value is invalid. | isCrawlCommunityTopic should be a boolean value true or false. |
| ZND-5115 | The isCrawlCommunityPost value is invalid. | isCrawlCommunityPost should be a boolean value true or false. |
| ZND-5116 | The isCrawlCommunityPostComment value is invalid. | isCrawlCommunityPostComment should be a boolean value true or false. |
| ZND-5117 | Repository Configurations is null or empty. | Repository Configurations should not be null or empty value. |
| ZND-5118 | The Host Url pattern is not valid. | Provide a valid host url. Ex: 'https://\$1sub-domain\$1.zendesk.com/' or 'https://\$1sub-domain\$1.zendesk.com' |
| ZND-5119 | The URI is invalid. | Provide a valid URI. |
| ZND-5120 | The personal access token is null or empty. | Provide a valid patToken. |
| ZND-5121 | The auth type is incorrect. | The auth type should be OAuth2 or Oauth2-ImplicitGrantFlow. |
| ZND-5122 | The accessToken provided is expired, revoked, malformed or invalid. | Provide valid accessToken. |
| ZND-5123 | The access token doesn't have sufficient permission. | Check the user has sufficient permission to crawl. |
| ZND-5500 | Unable to fetch data from Zendesk. | Check your Zendesk account plan/subscription: it may have expired. |
| ZND-5501 | Unable to generate access token. | Check your Zendesk configuration and try again. |
| ZND-5502 | There was an error parsing the field value. The size has exceeded the maximum allowable limit. | The maximum size permitted is 1000 characters for the fields. |
| ZND-5503 | The url is invalid. | Provide valid URL. |