I’m working on enabling metadata filtering in an Amazon Q Business application. According to the documentation, this feature is only supported via API, not through the console. Specifically, the docs state: “Filtering using document attributes in chat is only supported using the API. Boosting search results using document attributes is supported using the console or the API.”
My setup is as follows:
The Amazon Q Business application is configured for Authenticated User Access
Access management method: AWS IAM Identity Center
My documents are stored in Amazon S3, and I want to filter them based on metadata using ChatSync API (via AWS SDK or CLI)
The issue:
I am an IAM User in the AWS account. When I call the chat_sync API with an attributeFilter, the app requires an IAM Identity Center user, not an IAM User. Therefore, I attempted to configure SSO via aws configure sso and log in with the IAM Identity Center user that my admin assigned.
However, when I run SSO-related CLI commands (such as aws sso list-accounts), I receive the following message:
No AWS accounts are available to you
Because of this, I cannot retrieve temporary SSO credentials, and I cannot proceed with metadata filtering using the Amazon Q API.
My Question
Why am I seeing the “No AWS accounts are available to you” error, even though I used an IAM Identity Center user provided by my admin? Is there an additional step required (such as a specific permission set or AWS account assignment) for the IAM Identity Center user in order to use Amazon Q Business APIs with metadata filtering?
Does anyone know the correct configuration steps or what I might be missing?
I would definitely check with your admin to see if you were given the correct permission set for the IAM Identity Center user, as that is a possible reason why the account is not showing up for you. If so and you’re still running into the same issue, I would definitely look into this article on SSO integration to make sure your current setup is all good. Let me know if this helps!
I checked the IAM Identity Center configuration with my administrator and he told me that there is no “Permission Sets” section visible at all in the IAM Identity Center page. Because of that, I am currently unable to assign a permission set or verify whether one exists for the IAM Identity Center user.
Could this be related to the fact that my IAM Identity Center is configured as an Account Instance instead of an Organization instance? Or is there a prerequisite step I am missing before the Permission Sets tab becomes available?
Sorry for the long delay in replying back. This is definitely interesting behavior and it might be possible that this could be the case. I would definitely recommend that you or your administrator create a support case with AWS Support, as they may be able to assist with your question further.
Following up here as it’s been a while since last communication took place on this thread; did you have any additional questions regarding your initial post? Or if you created a support ticket and found out some new information regarding your topic, feel free to share here!
If we do not hear back within the next 3 business days, I’ll close out this topic.
Since I haven’t received any further updates from you, I’ll treat this inquiry as complete at this time. Please feel free to create a new post if you have more questions.