# Share your enterprise data with data accessors using Amazon Q index
<a name="data-accessors"></a>

The Amazon Q Business data accessors feature allows you to securely share your enterprise data with verified independent software vendors (ISVs) using Amazon Q. This feature allows ISVs to retrieve relevant content from your Amazon Q index, enhancing their applications with your organization's knowledge. By granting controlled access to your data, you can leverage third-party tools while maintaining security and data access compliance.

DataAccessor supports two types of authorization patterns to access ISVs end user data on Amazon Q:
+  [Authorization Code](https://aws.amazon.com/about-aws/whats-new/2024/05/aws-iam-identity-pkce-authorizations-aws-applications/)

   AWS IAM Identity Center supports OAuth 2.0 authorization code flows using the Proof Key for Code Exchange (PKCE) standard. This provides AWS applications, such as Amazon Q Business, a simple and safe way to authenticate users and obtain their consent to access Amazon Q Business resources from desktops and mobile devices with web browsers.
+ [Trusted token issuer/App level authentication](https://docs.aws.amazon.com/singlesignon/latest/userguide/using-apps-with-trusted-token-issuer.html#trusted-token-issuer-overview) 
  + A trusted token issuer is an OAuth 2.0 authorization server that creates signed tokens. These tokens authorize applications that initiate requests (requesting applications) for access to AWS managed applications (receiving applications).
  +  [Consideration for granting an ISV with trusted token issuer based authorization](https://docs.aws.amazon.com/singlesignon/latest/userguide/using-apps-with-trusted-token-issuer.html#trusted-token-issuer-overview) 

This topic discusses how an Amazon Q Business administrator can connect to one of the supported data accessors.

**Topics**
+ [A list of verified software providers who are data accessors](data-accessors-list.md)
+ [Prerequisites](data-accessors-prerequisites.md)
+ [Add a data accessor (ISV) to connect to your Amazon Q index](data-accessors-granting-permissions.md)
+ [Completing the process to add a data accessor](data-accessors-external-setup.md)
+ [Deleting or removing a data accessor's access from your Amazon Q index](data-accessors-removing-access.md)

# A list of verified software providers who are data accessors
<a name="data-accessors-list"></a>

The following are the *verified* independent software vendors (ISVs) that are data accessors.
+ **Asana** — [Data accessor configuration registration page](https://help.asana.com/s/article/amazon-q?language=en_US)
+ **Miro**
+ **Zoom** — [Data accessor configuration registration page](https://www.zoom.com/en/products/custom-ai/)
+ **PagerDuty** — [Data accessor configuration registration page](https://support.pagerduty.com/main/docs/pagerduty-advance#connect-pagerduty-advance-with-amazon-q)
+ **Kore.ai** — [Data accessor configuration registration page](https://docs.kore.ai/ai-for-work/integration/amazon-q/)
+ **Karini AI** — [Data accessor configuration registration page](https://karini-ai.gitbook.io/karini-ai-documentation/amazon-q-data-accessor-integration)
+ **Revinova**
+ **Planview** (available in `us-west-2` only) — [Data accessor configuration registration page](https://success.planview.com/Planview_Viz/FAQs/General/Planview_Amazon_Q_Business_Integration_FAQ)
+ **Amplience** — [Data accessor configuration registration page](https://amplience.com/developers/docs/workforce-studio/integrations/amazon-q-index/)
+ **Saviynt**
+ **Webex by CISCO** — [Data accessor configuration registration page](https://help.webex.com/en-us/article/nhq0zj8/Set-up-AI-integrations-in-Control-Hub)
+ **Fireflies.ai**
+ **SUSE Rancher for Amazon Web Services**
+ **CXone Mpower**

# Prerequisites
<a name="data-accessors-prerequisites"></a>

To add an ISV as a data accessor, complete the following prerequisites:

1. [Get started with Amazon Q Business](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/getting-started.html)

1. [Create an Identity and Access Management (IAM) Identity Center-integrated application](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-application.html) (IAM Federated application environments are not supported at this time).

1. Set up the retriever and connect your data sources. For a complete list of data source connectors (see [supported connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connectors-list.html)). You need the relevant credentials from each connector that you want to retrieve data from. For more information, see [Creating a retriever for an Amazon Q Business application environment](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/select-retriever.html) and [Connecting Amazon Q Business data sources](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/data-sources.html).

1. If you are using a customer managed key in your Amazon Q Business Application, you must set your key policy to allow the ISV principal access to the KMS key with the following policy:

------
#### [ JSON ]

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Id": "isv-key-consolepolicy",
       "Statement": [
           {
               "Sid": "EnableIAMUserPermissions",
               "Effect": "Allow",
               "Principal": {
                   "AWS": "arn:aws:iam::111122223333:role/isv-role"
               },
               "Action": "kms:Decrypt",
               "Resource": "arn:aws:kms:us-east-1:111122223333:key/key-id",
               "Condition": {
                   "StringLike": {
                       "kms:ViaService": [
                           "qbusiness.us-east-1.amazonaws.com"
                       ]
                   }
               }
           }
       ]
   }
   ```

------

# Add a data accessor (ISV) to connect to your Amazon Q index
<a name="data-accessors-granting-permissions"></a>

After setting up your application environment and connecting your data source(s), Amazon Q Business begins indexing your enterprise data. You still need to add the software providers (ISVs) as a data accessor and provide configuration details to the ISV to retrieve content from your Amazon Q index. By adding a data accessor, you grant their AWS account to access the Amazon Q index via the `SearchRelevantContent` API operation.

You can grant data accessor permissions to your Amazon Q index using either the Amazon Q Business console or the Amazon Q Business API. The following procedures show how to do this using the Amazon Q Business console or the AWS CLI.

**Important**  
You must provide the setup details generated when adding your ISV as a data accessor to your ISV so they can access your Amazon Q index. You can find this information at any time in the **Information for data accessor** tab in the **data accessor details** page which is accessed by choosing the accessor **Name** from the **Data accessors** table on the **Data accessors** page.

The following tabs provide the instructions for how to retrieve your `Tenant ID` for each ISV. In data accessors, the `External Id` is the same as `Tenant Id`.

------
#### [ Asana ]

In Asana, the Tenant ID in Amazon Q Business Data Accessor is called the `domain ID`. You can use the following instructions to retrieve the Asana Tenant ID

 

1. Choose your account profile picture and select Admin Console.

2. Select Settings.

3. Scroll to Domain Settings to retrieve the Tenant ID.

------
#### [ PagerDuty ]

In PagerDuty, the tenant ID in Amazon Q Business Data Accessor is called the tenant ID. You can use the following instructions to retrieve the PagerDuty the Tenant ID

 

1. Select the User Icon.

2. Select Account Settings.

3. Select the PagerDuty Advance tab.

4. Toggle Enable Amazon Q to the on position.

5. The PagerDuty Tenant ID is now available from the Amazon Q Business Configuration Values modal.

------
#### [ Kore.ai (AIforWork) ]

In AIforWork, the Tenant ID is displayed directly in the setup form. You can use the following instructions to retrieve the Kore.ai Tenant ID:

 

1. Navigate to AIforWork platform.

2. When setting up an Enterprise Knowledge or Search Agent, choose **Q for Business**.

3. In the setup form that opens, the Tenant ID is displayed and ready to copy.

------
#### [ Revinova ]

The Portal ID in Revinova is the Tenant ID for Amazon Q Business Data Accessor. You can use the instructions below to retrieve the Portal ID from Revinova.

1. Log in to the admin console.

1. Navigate to the portals dashboard using the **Portals** menu under the settings menu collection.

1. In the portal's grid, hover on the header of any of the columns and click on the hamburger menu shown in the column to open the column options context menu.

1. Click on the grid icon available on the top right corner of the column options context menu.

1. Select **ID** from the list of columns available for display, and it will show the portal IDs in the grid.

1. You can get the ID for the portal from the corresponding row.

------
#### [ Planview ]

Your Planview Tenant ID is a unique identifier in UUID/GUID format (e.g., 12345678-1234-1234-1234-123456789abc).

For Planview, the Tenant ID information can be found in their integration documentation. You can use the following resource to retrieve the Tenant ID for Planview Viz integration with Amazon Q Business.

1. Refer to the [Planview Amazon Q Business Integration FAQ](https://success.planview.com/Planview_Viz/FAQs/General/Planview_Amazon_Q_Business_Integration_FAQ) for detailed instructions on retrieving your Tenant ID.

**Note**  
Planview data accessor is only available in the `us-west-2` region.

------
#### [ Amplience ]

For Amplience, the Tenant ID is the Hub ID. You can use the following instructions to retrieve the Amplience Tenant ID.

1. Within Amplience Dynamic Content, switch into the Hub you wish to connect.

1. Select the settings icon in the top right corner and select the **Properties** menu item.

1. The Hub ID will be displayed with a copy to clipboard option.

------
#### [ Saviynt ]

For Saviynt, the Tenant ID is the FQDN from the Saviynt Console. You can use the following instructions to retrieve the Saviynt FQDN.

The URL will look similar to this example https://ispm-dev.saviyntcloud.com/ and the tenant id from this example will be "ispm-dev.saviyntcloud.com"

------
#### [ Webex by CISCO ]

In Webex, the tenant ID in Amazon Q Business Data Accessor is called the Organization ID. You can use the following instructions to retrieve the Webex Tenant ID.

 

1. Login in Cisco Control Hub.

2. Go to Account->Info page.

3. Copy the Organization ID.

------
#### [ Fireflies.ai ]

When prompted for Tenant ID, please enter Team ID

------
#### [ Miro ]

For Miro, the Tenant ID is Organization ID. Organization admins can navigate to the 'Organization profile' page and get the id from the address bar.

------
#### [ SUSE Rancher for Amazon Web Services ]

For SUSE Rancher for Amazon Web Services, the Tenant ID is tenant-uid. The tenant-uid can be found within the application in the about info in the top right of the screen.

------
#### [ CXone Mpower ]

For CXone Mpower, the Tenant ID required for the Amazon Q Business Data Accessor is displayed on your My Profile page. To access this page,

- In the upper‑right corner of any page in the platform, click your initials.

- Select My Profile from the menu.

- On the General tab of the My Profile page, locate your Tenant ID.

------

**Topics**
+ [Add a data accessor using the console](#data-accessors-granting-permissions-console)
+ [Adding a data accessor using the AWS CLI](#data-accessors-granting-permissions-cli)

## Add a data accessor using the console
<a name="data-accessors-granting-permissions-console"></a>

Prerequisite for both Auth code and TTI configurations.

`tenantID`

The `tenantID` is a unique identifier for your application tenant. Each application might have different terms for a tenant such as Workspace ID for Slack or Domain ID for Asana. You can review the [Prerequisites](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/isv-prerequisites.html) page to see how to retrieve the `TenantId` for your application.

1. Sign in to the Amazon Q Business console.

1. Choose **Applications**, then select the name of your application environment from the list.

1. From the left navigation, choose **Data accessors**.

1. Choose the authentication method, **Auth Code** or **Trusted Token Issuer (TTI)** from the list of options.

1. Choose from the list of approved and supported data accessors (ISVs).

1. Choose a **Name** for this data accessor's instance, for example **<your application-name>-<accessor-name>**.

   If you chose TTI, follow these steps to configure the authentication:

   1. Enter your ** External Id (same as Tenant Id)**, **Trust Token Issuer name**, **Identity provider attribute**, and **IAM Identity Center attribute**.

   1. Select, **Create trusted token issuer**.

1. Choose **Data source access** between **Allow all** or **Allow specific data sources** depending on whether you want to provide the ISV access to all or certain data sources from your Amazon Q index.

1. Choose the end **User access**. These are the end users that will connect with and use the Amazon Q index data from within the ISV's application. You can choose between all users that have access to the Amazon Q Business application environment or a subset of users and groups that you can define.

1. Choose **Add data accessor** to confirm your choices and add the data accessor.
**Note**  
You must provide the setup details generated when adding your ISV as a data accessor to your ISV so they can access your Amazon Q index. You can find this information at any time in the **Information for data accessor** tab in the **data accessor details** page which is accessed by choosing the accessor **Name** from the **Data accessors** table on the **Data accessors** page. 

1. The data accessor you have added will now appear as an entry in the table on the main **Data accessors** page.

## Adding a data accessor using the AWS CLI
<a name="data-accessors-granting-permissions-cli"></a>

In order to add an ISV as a data accessor you will need to call 3 APIs. First, the `CreateDataAccessor` API operation will create a data accessor and associate your application ID. `AssociatePolicy` operation API to attach the resource based policy for cross account API calls. Finally, you will set your user assignment for the Identity and Access Management (IAM) Identity Data Center (IDC) application environment with `PutApplicationAssignment` API. For granular user access control, use the Amazon Q Business console.

Prerequisite for both Auth code and TTI configurations.

`tenantID`

The `tenantID` is a unique identifier for your application tenant. Each application might have different terms for a tenant such as Workspace ID for Slack or Domain ID for Asana. You can review the [Prerequisites](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/isv-prerequisites.html) page to see how to retrieve the `TenantId` for your application.

### ISV data accessor principal role ARNs for the CreateDataAccessor API
<a name="data-accessors-granting-permissions-cli-principal-arns"></a>

The following are the `principal` role ARNs for the supported ISVs:
+ Asana — `arn:aws:iam::865993441991:role/autogen_role_customer-byoq-data-accessor_customer_q_biz_d-217f4f`
+ Miro — `arn:aws:iam::380983552397:role/AwsQBusinessMiroRetriever`
+ Zoom — `arn:aws:iam::796973485215:role/zoom-ai-amazon-q-business-retrieval-role`
+ PagerDuty — `arn:aws:iam::748801462010:role/terraform/pagerduty-isv-qretriever-dataaccessor-role`
+ Kore.ai — `arn:aws:iam::452460288037:role/Q4BTrustPolicyRole`
+ Karini AI — `arn:aws:iam::891377073540:role/Karini-AmazonQ-Data-Accessor-Role`
+ Revinova — `arn:aws:iam::833755663361:role/revinova_q_business_isv_role`
+ Planview (available in `us-west-2` only) — `arn:aws:iam::431569694887:role/ep-copilot-production-us-west-2-q-index-role-tti`
+ Amplience — `arn:aws:iam::123645302184:role/q-index-isv-role`
+ Saviynt — `arn:aws:iam::249469748895:role/ispm-isv-qindex`
+ Webex by CISCO — `arn:aws:iam::973559386291:role/WebexSuit-QIndex-role-prod`
+ Fireflies.ai — `arn:aws:iam::466023587921:role/awsQAccessorRole`
+ SUSE Rancher for Amazon Web Services — `arn:aws:iam::940482441539:role/mcm-q-data-accessor`
+ CXone Mpower — `arn:aws:iam::765956972205:role/nice_csa_kh_qindex_retriever_trust_role` 

### Action configuration (JSON) example for the CreateDataAccessor API
<a name="data-accessors-granting-permissions-cli-action-config"></a>
+ `action` — Only `qbusiness:SearchRelevantContent` is supported now
+ `filterConfiguration`: Specifies the data source id of the Amazon Q application environment. The ISV will only have access to the data from the specified data source id. If there is no data source id specified, the ISV will have access to all the data sources.

```
# CreateDataAccessor actionConfigurations example
[
   {
        "action": "qbusiness:SearchRelevantContent",
        "filterConfiguration": {
        "documentAttributeFilter": {
          "equalsTo": {
            "name": "_data_source_id",
            "value": {
              "stringValue": "your_datasource_id"
            }
          }
        }
      }
   }
]
```

### CLI example
<a name="data-accessors-granting-permissions-cli-example"></a>

The following CLI example shows how to create a data accessor and associate the necessary permissions with all end users enabled for this data accessor:

```
aws qbusiness create-data-accessor \
 --application-id ${qbusiness_application_id} \
 --principal ${isv_data_accessor_role_arn} \
 --action-configurations  ${action_configuration} \
 --display-name ${qbusiness_data_accessor_name} \
 --authentication-detail ${authentication_detail} 

aws qbusiness associate-permission \
 --application-id ${qbusiness_application_id} \
 --statement-id ${statement_id} \
 --actions ${actions} \
 --principal ${isv_data_accessor_role_arn} \
 --conditions ${conditions} 
 
aws sso-admin put-application-assignment-configuration \
 --application-arn ${qbusiness_data_accessor_idc_application_arn}\
 --no-assignment-required\
 --region ${idc_region}
```

The following CLI example shows how to add authentication details in your request:

```
# For tti based dataaccessor
"authenticationDetail": {
    "authenticationType": "AWS_IAM_IDC_TTI",
    "authenticationConfiguration": {
        "idcTrustedTokenIssuerConfiguration": {
            "idcTrustedTokenIssuerArn": "${IDC trusted token issuer created using ISV issuer URL}"
        }
    },
    "externalIds": [
        "${ISV tenantId}"
    ]
}

# For Authcode based dataaccessor
"authenticationDetail": {
    "authenticationType": "AWS_IAM_IDC_AUTH_CODE",
    "externalIds": [
        "${ISV tenantId}"
    ]
}
```

# Completing the process to add a data accessor
<a name="data-accessors-external-setup"></a>

After you grant a software provider (ISV) data accessor permissions, you'll need to provide AWS or the ISV with the following configuration parameters. They will reach out to you to source these configuration parameters. These values are required inputs when the ISV uses the `SearchRelevantContent` API operation to perform cross-account access of the data from your Amazon Q index.

**Topics**
+ [Using the AWS Management Console](#data-accessors-completing-process-console)
+ [Using the AWS CLI;](#data-accessors-completing-process-cli)

These parameters are all easily accessed from the AWS Management Console:

1. Amazon Q Business application ID — This is the unique identifier of the Amazon Q Business application environment. It tells the ISV what Amazon Q application environment is associated with the Amazon Q index.

1. The Amazon Q Business application Region — This is the AWS Region where the Amazon Q Business application environment is created.

1. Amazon Q Business retriever ID — This is the unique identifier for the retriever. The retriever gets the data from the Amazon Q index configured by the Amazon Q customer.

1. Data accessor application ARN — This is the ISV Amazon Resource Name (ARN). It is used to identify the ISV when it is accessing a customer's Amazon Q index.

1. The Region for the Identity and Access Management (IAM) Identity Center (IDC) instance — This is the AWS Region where the IDC instance of the customer has been created.

The ISV can then begin retrieving content from the Amazon Q index by calling the `SearchRelevantContent` API. The `SearchRelevantContent` API follows Amazon Q Business access control standards by only retrieving data that the customer's end users have been given access to.

## Using the AWS Management Console
<a name="data-accessors-completing-process-console"></a>

To access these variables in the Amazon Q Business console:

1. Sign in to the AWS Management Console and choose the **Amazon Q Business** console.

1. Choose **Applications**, then select the name of your application environment from the list.

1. In the **Application details** page, you will see the **Application id** on this page and the application environment **Region** on the top right corner of the console top navigation bar.

1. From the left navigation, choose **Data sources**.

1. In the **Data sources** page, you will see the **Retriever id** on this page.

1. From the left navigation, choose **Data accessors**.

1. Choose the **Data accessor** from the **Data accessor(s) list** section.

1. In the **Data accessor details** page, you will see the **Data accessor IDC application ARN** on this page.

1. To get the IAM Identity Center (IDC) Region, you will need to open the IAM IDC console, Choose **Dashboard** and you can find the IDC **Region** in the Summary Settings section on that page.

## Using the AWS CLI;
<a name="data-accessors-completing-process-cli"></a>

Amazon Q Business `applicationId` and the `dataAccessorArn` are included in the response of `GetDataAccessor` API. To get the IDC Region of your IDC instance and the IDC application environment, you need to visit IAM identity center page in the AWS Management Console.

```
# To get qbusiness application id
aws qbusiness list-applications
{
    "applications": [
        {
            "displayName": "your_qbusiness_application",
            "applicationId": ${qbusiness_application_id},
            "createdAt": ...,
            "updatedAt": ...,
            "status": "ACTIVE",
            "identityType": "AWS_IAM_IDC"
        }
    ]
}

# To get IDC application arn
aws qbusiness list-data-accessors --application-id ${qbusiness_application_id}
{
    "dataAccessors": [
        {
            "displayName": "Miro-3ajmo",
            "dataAccessorId": "7493bad6-df69-487c-b2b3-cd55bf01434c",
            "idcApplicationArn": "your_idc_application_arn",
            "principal": "arn:aws:iam::419356813857:role/AwsQBusinessMiroRetrievalRole",
            ...
        }
    ]
}

# To get retriever id
aws qbusiness list-retrievers \
  --application-id ${qbusiness_application_id}
{
    "retrievers": [
        {
            "applicationId": ${qbusiness_application_id},
            "retrieverId": "your_retriever_id",
            "type": "NATIVE_INDEX",
            "status": "ACTIVE",
            "displayName": "..."
        }
    ]
}
```

# Deleting or removing a data accessor's access from your Amazon Q index
<a name="data-accessors-removing-access"></a>

You can remove a data accessor's permissions to your Amazon Q index using the Amazon Q Business console or the Amazon Q Business API using the AWS SDK, REST API, or AWS CLI. Once deleted, you will have to add the data and reconfigure access to grant the data accessor access again.

The following procedures show how you delete or remove a data accessor using the Amazon Q Business console or the AWS CLI.

**Topics**
+ [Using the Amazon Q Business console](#data-accessors-removing-access-console)
+ [Using the AWS CLI;](#data-accessors-removing-access-cli)

## Using the Amazon Q Business console
<a name="data-accessors-removing-access-console"></a>

1. Sign in to the AWS Management Console and open the Amazon Q Business console.

1. Choose **Applications**, then select the name of your application environment from the list.

1. From the left navigation, choose **Data accessors**.

1. From the **Data accessor** table, select the data accessor that you want to delete.

1. Choose **Actions**, then choose **Delete**.

1. Confirm your choice.

## Using the AWS CLI;
<a name="data-accessors-removing-access-cli"></a>

```
aws qbusiness delete-data-accessor \
--application-id ${qbusiness_application_id} \
--data-accessors-id ${qbusiness_data_accessor_id}

aws qbusiness disassociate-permission \
--application-id ${qbusiness_application_id} \
--statement-id ${policy_statement_id}
```