list_q_apps Always Unauthorized

[Nick6464]

Describe the bug

Regardless of Instance Id, or IAM user Permissions, list_q_apps is always unauthorized.

Expected Behavior

When the Access Keys used have the correct perms, list_q_apps lists the q apps

Current Behavior

unauthorized

Reproduction Steps

import boto3
import os
from dotenv import load_dotenv

# Load environment variables from .env file
load_dotenv()

def list_q_apps():
    client = boto3.client(
        "qapps",
        aws_access_key_id=os.getenv("AWS_ACCESS_KEY_ID"),
        aws_secret_access_key=os.getenv("AWS_SECRET_ACCESS_KEY"),
        region_name=os.getenv("AWS_REGION")
    )

    try:
        response = client.list_q_apps(instanceId=os.getenv("INSTANCE_ID"))
        return response
    except Exception as e:
        print(f"Error listing Q Apps: {e}")
        return None

if __name__ == "__main__":
    response = list_q_apps()
    if response:
        print("Q Apps listed successfully.")
        print(response)
    else:
        print("Failed to list Q Apps.")

Have an IAM user with the policy

{ "Version": "2012-10-17", "Statement": [ { "Action": "qbusiness:*", "Effect": "Allow", "Resource": "*" }, { "Action": "qapps:*", "Effect": "Allow", "Resource": "*" } ] }

Run the code and it fails, Unauthorized

Possible Solution

Make it work like list_library_items, which works as expected

Additional Information/Context

No response

SDK version used

1.34.143

Environment details (OS name and version, etc.)

Windows 11

[Nick6464]

It appears that the same happens for get_library_item and get_q_app

[tim-finnigan]

Thanks for reaching out. Linking the list_q_apps documentation for reference. That Boto3 command involves a call to the ListQApps API, which is returning one of these errors. Which error are you getting specifically? If you could share your debug logs (with sensitive info redacted) by adding boto3.set_stream_logger('') to your script then that should give more insight into the issue here.

Can you also verify that the profile you are using has permissions to run Q Apps actions? Here are the prerequisites for using Q Apps: https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/purpose-built-qapps-prerequisites.html.

You can create a policy enabling Q Apps access here in IAM:

[Nick6464]

Thanks for the quick reply!

2024-07-12 11:52:16,513 botocore.hooks [DEBUG] Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2024-07-12 11:52:16,514 botocore.hooks [DEBUG] Changing event name from before-call.apigateway to before-call.api-gateway
2024-07-12 11:52:16,515 botocore.hooks [DEBUG] Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2024-07-12 11:52:16,515 botocore.hooks [DEBUG] Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2024-07-12 11:52:16,515 botocore.hooks [DEBUG] Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2024-07-12 11:52:16,515 botocore.hooks [DEBUG] Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2024-07-12 11:52:16,516 botocore.hooks [DEBUG] Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2024-07-12 11:52:16,517 botocore.hooks [DEBUG] Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2024-07-12 11:52:16,517 botocore.hooks [DEBUG] Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2024-07-12 11:52:16,517 botocore.hooks [DEBUG] Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2024-07-12 11:52:16,517 botocore.hooks [DEBUG] Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2024-07-12 11:52:16,573 botocore.loaders [DEBUG] Loading JSON file: <FILE_PATH_1>
2024-07-12 11:52:16,579 botocore.loaders [DEBUG] Loading JSON file: <FILE_PATH_2>
2024-07-12 11:52:16,579 botocore.hooks [DEBUG] Event choose-service-name: calling handler <function handle_service_name_alias at 0x000001DC1B44F600>
2024-07-12 11:52:16,605 botocore.loaders [DEBUG] Loading JSON file: <FILE_PATH_3>
2024-07-12 11:52:16,632 botocore.loaders [DEBUG] Loading JSON file: <FILE_PATH_4>
2024-07-12 11:52:16,633 botocore.loaders [DEBUG] Loading JSON file: <FILE_PATH_5>
2024-07-12 11:52:16,633 botocore.hooks [DEBUG] Event creating-client-class.qapps: calling handler <function add_generate_presigned_url at 0x000001DC1B3896C0>
2024-07-12 11:52:16,633 botocore.configprovider [DEBUG] Looking for endpoint for qapps via: environment_service
2024-07-12 11:52:16,633 botocore.configprovider [DEBUG] Looking for endpoint for qapps via: environment_global
2024-07-12 11:52:16,633 botocore.configprovider [DEBUG] Looking for endpoint for qapps via: config_service
2024-07-12 11:52:16,633 botocore.configprovider [DEBUG] Looking for endpoint for qapps via: config_global
2024-07-12 11:52:16,633 botocore.configprovider [DEBUG] No configured endpoint found.
2024-07-12 11:52:16,633 botocore.regions [DEBUG] Creating a regex based endpoint for data.qapps, us-east-1
2024-07-12 11:52:16,634 botocore.endpoint [DEBUG] Setting data.qapps timeout as (60, 60)
2024-07-12 11:52:16,635 botocore.loaders [DEBUG] Loading JSON file: <FILE_PATH_6>
2024-07-12 11:52:16,638 botocore.client [DEBUG] Registering retry handlers for service: qapps
2024-07-12 11:52:16,638 botocore.hooks [DEBUG] Event before-parameter-build.qapps.ListQApps: calling handler <function generate_idempotent_uuid at 0x000001DC1B46D080>
2024-07-12 11:52:16,638 botocore.regions [DEBUG] Calling endpoint provider with parameters: {'Region': 'us-east-1', 'UseDualStack': False, 'UseFIPS': False}
2024-07-12 11:52:16,638 botocore.regions [DEBUG] Endpoint provider result: https://data.qapps.us-east-1.amazonaws.com
2024-07-12 11:52:16,639 botocore.hooks [DEBUG] Event before-call.qapps.ListQApps: calling handler <function add_recursion_detection_header at 0x000001DC1B46C540>
2024-07-12 11:52:16,639 botocore.hooks [DEBUG] Event before-call.qapps.ListQApps: calling handler <function inject_api_version_header if needed at 0x000001DC1B46EB60>
2024-07-12 11:52:16,639 botocore.endpoint [DEBUG] Making request for OperationModel(name=ListQApps) with params: {'url_path': '/apps.list', 'query_string': {}, 'method': 'GET', 'headers': {'instance-id': 'INSTANCE_ID', 'User-Agent': 'USER_AGENT'}, 'body': b'', 'url': 'https://data.qapps.us-east-1.amazonaws.com/apps.list', 'context': {'client_region': 'us-east-1', 'client_config': <botocore.config.Config object at 0x000001DC1C357320>, 'has_streaming_input': False, 'auth_type': None}}
2024-07-12 11:52:16,639 botocore.hooks [DEBUG] Event request-created.qapps.ListQApps: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x000001DC1C357350>>
2024-07-12 11:52:16,639 botocore.hooks [DEBUG] Event choose-signer.qapps.ListQApps: calling handler <function set_operation_specific_signer at 0x000001DC1B46CF40>
2024-07-12 11:52:16,640 botocore.auth [DEBUG] Calculating signature using v4 auth.
2024-07-12 11:52:16,640 botocore.auth [DEBUG] CanonicalRequest:
GET
/apps.list

host:data.qapps.us-east-1.amazonaws.com
instance-id:INSTANCE_ID
x-amz-date:DATE

host;instance-id;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
2024-07-12 11:52:16,641 botocore.auth [DEBUG] StringToSign:
AWS4-HMAC-SHA256
DATE
REGION/qapps/aws4_request
39a1e4e6beadebf1a995b726e85c8000b9bc4aa324a9dc84c5c8db90000f1889
2024-07-12 11:52:16,641 botocore.auth [DEBUG] Signature:
01b1d00041815e3c0f8cb208b87a7426eefccf2f42b981b20b81e6f6baf7f426
2024-07-12 11:52:16,641 botocore.hooks [DEBUG] Event request-created.qapps.ListQApps: calling handler <function add_retry_headers at 0x000001DC1B46F380>
2024-07-12 11:52:16,641 botocore.endpoint [DEBUG] Sending http request: <AWSPreparedRequest stream_output=False, method=GET, url=https://data.qapps.us-east-1.amazonaws.com/apps.list, headers={'instance-id': b'INSTANCE_ID', 'User-Agent': b'USER_AGENT', 'X-Amz-Date': b'DATE', 'Authorization': b'AUTHORIZATION', 'amz-sdk-invocation-id': b'INVOCATION_ID', 'amz-sdk-request': b'REQUEST_ATTEMPT'}>
2024-07-12 11:52:16,642 botocore.httpsession [DEBUG] Certificate path: <CERTIFICATE_PATH>
2024-07-12 11:52:16,643 urllib3.connectionpool [DEBUG] Starting new HTTPS connection (1): data.qapps.us-east-1.amazonaws.com:443
2024-07-12 11:52:17,473 urllib3.connectionpool [DEBUG] https://data.qapps.us-east-1.amazonaws.com:443 "GET /apps.list HTTP/11" 401 26
2024-07-12 11:52:17,473 botocore.parsers [DEBUG] Response headers: {'Date': 'Thu, 11 Jul 2024 23:52:23 GMT', 'Content-Type': 'application/json', 'Content-Length': '26', 'Connection': 'keep-alive', 'x-amzn-RequestId': 'REQUEST_ID', 'Access-Control-Allow-Origin': '*', 'x-amzn-ErrorType': 'UnauthorizedException', 'x-amz-apigw-id': 'APIGW_ID'}
2024-07-12 11:52:17,473 botocore.parsers [DEBUG] Response body:
b'{"message":"Unauthorized"}'
2024-07-12 11:52:17,474 botocore.parsers [DEBUG] Response headers: {'Date': 'Thu, 11 Jul 2024 23:52:23 GMT', 'Content-Type': 'application/json', 'Content-Length': '26', 'Connection': 'keep-alive', 'x-amzn-RequestId': 'REQUEST_ID', 'Access-Control-Allow-Origin': '*', 'x-amzn-ErrorType': 'UnauthorizedException', 'x-amz-apigw-id': 'APIGW_ID'}
2024-07-12 11:52:17,474 botocore.parsers [DEBUG] Response body:
b'{"message":"Unauthorized"}'
2024-07-12 11:52:17,474 botocore.hooks [DEBUG] Event needs-retry.qapps.ListQApps: calling handler <botocore.retryhandler.RetryHandler object at 0x000001DC1C39C290>
2024-07-12 11:52:17,474 botocore.retryhandler [DEBUG] No retry needed.
Error listing Q Apps: An error occurred (UnauthorizedException) when calling the ListQApps operation: Unauthorized
Failed to list Q Apps.

The access keys being used have permissions from this link

[tim-finnigan]

Thanks for following up, I was referred to this documentation on authenticating: https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/making-sigv4-authenticated-api-calls.html. Can you confirm that you've completed the prerequisites and setup steps documented there?

[Nick6464]

Ok, that must be the issue then. Since I am wanting to use Cognito and not Okta, will this walk through get me there?

https://repost.aws/knowledge-center/cognito-user-pool-iam-integration

Appreciate the help.

[Nick6464]

I have set that up and can use the aws sts assume-role to get the access, secret and session. These still give the Unauthorized responese.

[tim-finnigan]

@Nick6464 Cognito should be supported, but you need to connect Cognito to Identity Center and Identity center to Q Business Application. Here is an article on integrating Identity Center with Cognito: https://repost.aws/knowledge-center/cognito-user-pool-iam-integration. Also did you complete the setup instructions in the documentation referenced earlier?

[Nick6464]

Yes, that has all been done and I am able to generate a JWT token for the assumed role. The JWT token is then used to make a request to the Q Business instance, but gets an unauthorized response.

[tim-finnigan]

Thanks for your patience here — do you have any updates on your end? If still experiencing an issue here then we will likely need to transfer this to our cross-SDK repo and reach out to the QApps team for guidance, as they maintain the underlying API returning that error.

[Nick6464]

No problem Tim, seems like my issue is either with my configuration or fundamental. I'll continue this through Support and update here if it is actually a bug. Thank you for your help, advice and patience.

Nick

[github-actions[bot]]

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.