Configuring IAM permissions
This topic describes the IAM permissions that you configure for the Amazon Q chat experience, and the Amazon Glue Studio notebook experience.
Topics
Configuring IAM permissions for Amazon Q chat
Granting permissions to the APIs used by Amazon Q data integration in Amazon Glue requires appropriate Amazon Identity and Access Management (IAM) permissions. You can obtain permissions by attaching the following custom Amazon policy to your IAM identity (such as a user, role, or group):
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "glue:StartCompletion", "glue:GetCompletion" ], "Resource": [ "arn:aws:glue:*:*:completion/*" ] } ] }
Configuring IAM permissions for Amazon Glue Studio notebooks
To enable Amazon Q data integration in Amazon Glue Studio notebooks, ensure the following permission is attached to the notebook IAM role:
Note
The codewhisperer
prefix is a legacy name from a service that merged
with Amazon Q Developer. For more information, see
Amazon Q Developer rename - Summary of changes.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "glue:StartCompletion", "glue:GetCompletion" ], "Resource": [ "arn:aws:glue:*:*:completion/*" ] }, { "Sid": "AmazonQDeveloperPermissions", "Effect": "Allow", "Action": [ "codewhisperer:GenerateRecommendations" ], "Resource": "*" } ] }
Note
Amazon Q data integration in Amazon Glue does not have APIs available through the Amazon SDK that you can use programmatically. The following two APIs are used in the IAM policy for enabling this experience through the Amazon Q chat panel or Amazon Glue Studio notebooks: StartCompletion
and GetCompletion
.
Assigning permissions
To provide access, add permissions to your users, groups, or roles:
Users and groups in Amazon IAM Identity Center: Create a permission set. Follow the instructions in Create a permission set
in the Amazon IAM Identity Center User Guide. Users managed in IAM through an identity provider: Create a role for identity federation. Follow the instructions in Creating a role for a third-party identity provider (federation)
in the IAM User Guide. IAM users:
Create a role that your user can assume. Follow the instructions in Creating a role for an IAM user
in the IAM User Guide. (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in Adding permissions to a user (console)
in the IAM User Guide.