:zap: If you created a new Amazon Q Business application on or after April 30th, 2024, you can now set up a Slack gateway using the updated instructions provided below. These new Amazon Q Business applications are integrated with IAM Identity Center. The CloudFormation (CFN) template and the necessary steps have been updated to accommodate the setup of the Slack gateway for new applications. |
---|
Note: The instructions provided in this guide are specific to Okta, but they should also work for other OIDC compliant OpenID provider/Identity Provider (IdPs) with minor adjustments.
Amazon Q Business is a generative AI-powered application that helps users get work done. Amazon Q Business can become your tailored business expert and let you discover content, brainstorm ideas, or gain further insight using your company’s data safely and securely. For more information see: Introducing Amazon Q, a new generative AI-powered assistant (preview)
In this repo we share a project which lets you connect your Amazon Q Business application to your Slack workspace and allow Slack members to access your organization's data and knowledge sources via conversational question-answering. You can connect to your organization data via data source connectors and integrate it with Slack Gateway for Amazon Q Business to enable access to your Slack workspace members. It allows your users to:
It's amazingly powerful. Here's a demo - seeing is believing!
It's easy to deploy in your own AWS Account, and add to your own Slack Workspace. We show you how below.
/new_conversation
This sample Amazon Q slack application is provided as open source — use it as a starting point for your own solution, and help us make it better by contributing back fixes and features via GitHub pull requests. Explore the code, choose Watch to be notified of new releases, and check back for the latest updates.
Follow the instructions below to deploy the project to your own AWS account and Slack workspace, and start experimenting!
You need to have an AWS account and an IAM Role/User with permissions to create and manage the necessary resources and components for this application. (If you do not have an AWS account, please see How do I create and activate a new Amazon Web Services account?)
You need to have an Okta Workforce Identity Cloud account. If you haven't signed up yet, see Signing up for Okta
You need to configure SAML and SCIM with Okta and IAM Identity Center. If you haven't configured, see Configuring SAML and SCIM with Okta and IAM Identity Center
You also need to have an existing, working Amazon Q business application integrated with IdC. If you haven't set one up yet, see Creating an Amazon Q application
You need to have users subscribed to your Amazon Q business application, and are able to access Amazon Q Web Experience. If you haven't set one up yet, see Subscribing users to an Amazon Q application
You have aws cli latest version installed on your Linux or MacOS system. If you haven't installed yet, see Installing the AWS CLI version 2
Create the client as a 'Web app'. You will want to enable the 'Refresh Token' grant type, 'Allow everyone in your organization to access', and 'Federation Broker Mode'. Use a placeholder URL, like https://example.com
, for the redirect URI, as you will update this later (in step 3).
Create trusted token issuer to trust tokens your Okta tenant using these instructions listed here - https://docs.aws.amazon.com/singlesignon/latest/userguide/using-apps-with-trusted-token-issuer.html. Or you can run the below script.
For the script, you need to have the OIDC issuer URL and the AWS region in which you have your Q business application. To retrieve the OIDC issuer URL, go to Okta account console, click the left hamburger menu and open Security > API and copy the whole 'Issuer URI'.
The script will output trusted token issuer ARN (TTI_ARN) which you will use in the next step.
export AWS_DEFAULT_REGION=<>
OIDC_ISSUER_URL=<>
bin/create-trusted-token-issuer.sh $OIDC_ISSUER_URL
Create customer managed application in IAM Identity Center(IdC) by running below script.
For the script, you need to have the OIDC client ID, trusted token issuer ARN, and the region in which you have your Q business application. To retrieve the OIDC client ID, go to Okta account console, click the left hamburger menu and open Applications > Applications and click on the application you created in step 1.1. Copy the 'Client ID'. For TTI_ARN, you can use the output from the previous step.
The script will output the gateway IdC application ARN (GATEWAY_IDC_ARN) which you will use in the next step.
export AWS_DEFAULT_REGION=<>
OIDC_CLIENT_ID=<>
TTI_ARN=<>
bin/create-idc-application.sh $OIDC_CLIENT_ID $TTI_ARN
We've made this easy by providing pre-built AWS CloudFormation templates that deploy everything you need in your AWS account.
If you are a developer, and you want to build, deploy and/or publish the solution from code, we've made that easy too! See Developer README
Stack Name
: Name your App, e.g. AMAZON-Q-SLACK-GATEWAY.AmazonQAppId
: Your existing Amazon Q Application ID (copy from Amazon Q console). AmazonQRegion
: Choose the region where you created your Amazon Q Application.OIDCIdPName
: The name of the OIDC external identity provider. Specify 'Okta'. Cognito is also supported.OIDCClientId
: The client ID of OIDC client you created in step 1.1.OIDCIssuerURL
: The issuer URL of the OIDC client you created in step 1.1.GatewayIdCAppARN
: The application arn of IdC customer managed application you created in step 1.3.ContextDaysToLive
: Just leave this as the default (90 days)Region | Easy Deploy Button | Template URL - use to upgrade existing stack to a new release |
---|---|---|
N. Virginia (us-east-1) | https://s3.us-east-1.amazonaws.com/aws-ml-blog-us-east-1/artifacts/amazon-q-slack-gateway/AmazonQSlackGateway.json | |
Oregon (us-west-2) | https://s3.us-west-2.amazonaws.com/aws-ml-blog-us-west-2/artifacts/amazon-q-slack-gateway/AmazonQSlackGateway.json |
When your CloudFormation stack status is CREATE_COMPLETE, choose the Outputs tab, and keep it open - you'll need it below.
Go the app client settings created in Okta (in step 1.1), and update the client redirect URL with exported value in Cloudformation stack for OIDCCallbackEndpointExportedName
.
Now you can create your new app in Slack!
NOTE: If you have deployed the Slack data source connector for Amazon Q you may already have an existing Slack app installed. Do not attempt to modify that data source connector app - create a new app instead.
SlackAppManifest
.App Home
, scroll down to the section Show Tabs
and enable Message Tab
then check the box Allow users to send Slash commands and messages from the messages tab
- This is a required step to enable your user to send messages to your appLet's now add your app into your workspace, this is required to generate the Bot User OAuth Token
value that will be needed in the next step
Install to Workspace
, this will generate the OAuth tokenIMPORTANT In this example we are not enabling Slack token rotation. Enable it for a production app by implementing rotation via AWS Secrets Manager. Please create an issue (or, better yet, a pull request!) in this repo if you want this feature added to a future version.
SlackSecretConsoleUrl
.Retrieve secret value
Edit
Signing Secret
* and Bot User OAuth Token
, you will find those values in the Slack application configuration under Basic Information
and OAuth & Permissions
. *(Pro tip: Be careful you don't accidentally copy 'Client Secret' (wrong) instead of 'Signing Secret' (right)!)OIDCClientSecretConsoleUrl
.Retrieve secret value
Edit
OidcClientSecret
, you will find the value in the Okta app client settings (step 1.1).Time to say Hi!
We welcome your contributions to our project. Whether it's a bug report, new feature, correction, or additional documentation, we greatly value feedback and contributions from our community.
See CONTRIBUTING for more information.
See Security issue notifications for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.