Configuring IAM permissions for Amazon Q chat Configuring IAM permissions for Amazon Glue Studio notebooks

Configuring IAM permissions

This topic describes the IAM permissions that you configure for the Amazon Q chat experience, and the Amazon Glue Studio notebook experience.

Topics

Configuring IAM permissions for Amazon Q chat
Configuring IAM permissions for Amazon Glue Studio notebooks

Configuring IAM permissions for Amazon Q chat

Granting permissions to the APIs used by Amazon Q data integration in Amazon Glue requires appropriate Amazon Identity and Access Management (IAM) permissions. You can obtain permissions by attaching the following custom Amazon policy to your IAM identity (such as a user, role, or group):


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "glue:StartCompletion",
                "glue:GetCompletion"
            ],
            "Resource": [
                "arn:aws:glue:*:*:completion/*"
            ]
        }
    ]
}

Configuring IAM permissions for Amazon Glue Studio notebooks

To enable Amazon Q data integration in Amazon Glue Studio notebooks, ensure the following permission is attached to the notebook IAM role:

Note

The codewhisperer prefix is a legacy name from a service that merged with Amazon Q Developer. For more information, see Amazon Q Developer rename - Summary of changes.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "glue:StartCompletion",
                "glue:GetCompletion"
            ],
            "Resource": [
                "arn:aws:glue:*:*:completion/*"
            ]
        },
        {
            "Sid": "AmazonQDeveloperPermissions",
            "Effect": "Allow",
            "Action": [
                "codewhisperer:GenerateRecommendations"
            ],
            "Resource": "*"
        }
    ]
}

Note

Amazon Q data integration in Amazon Glue does not have APIs available through the Amazon SDK that you can use programmatically. The following two APIs are used in the IAM policy for enabling this experience through the Amazon Q chat panel or Amazon Glue Studio notebooks: StartCompletion and GetCompletion.

Assigning permissions

To provide access, add permissions to your users, groups, or roles:

Users and groups in Amazon IAM Identity Center: Create a permission set. Follow the instructions in Create a permission set in the Amazon IAM Identity Center User Guide.
Users managed in IAM through an identity provider: Create a role for identity federation. Follow the instructions in Creating a role for a third-party identity provider (federation) in the IAM User Guide.
IAM users:
- Create a role that your user can assume. Follow the instructions in Creating a role for an IAM user in the IAM User Guide.
- (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in Adding permissions to a user (console) in the IAM User Guide.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Setting up Amazon Q data integration

Supported code generation