⚡ If you created a new Amazon Q Business application on or after April 30th, 2024, you can now set up a Slack gateway using the updated instructions provided below. These new Amazon Q Business applications are integrated with IAM Identity Center. The CloudFormation (CFN) template and the necessary steps have been updated to accommodate the setup of the Slack gateway for new applications. |
---|
Note: The instructions provided in this guide are specific to Okta, but they should also work for other OIDC compliant OpenID provider/Identity Provider (IdPs) with minor adjustments.
Amazon Q Business is a generative AI-powered application that helps users get work done. Amazon Q Business can become your tailored business expert and let you discover content, brainstorm ideas, or gain further insight using your company’s data safely and securely. For more information see: Introducing Amazon Q, a new generative AI-powered assistant (preview)
In this repo we share a project which lets you connect your Amazon Q Business application to your Slack workspace and allow Slack members to access your organization's data and knowledge sources via conversational question-answering. You can connect to your organization data via data source connectors and integrate it with Slack Gateway for Amazon Q Business to enable access to your Slack workspace members. It allows your users to:
- Converse with Amazon Q Business using Slack Direct Message (DM) to ask questions and get answers based on company data, get help creating new content such as emails, and performing tasks.
- You can also invite it to participate in your team channels.
- In a channel users can ask it questions in a new message, or tag it in a thread at any point. Get it to provide additional data points or resolve a debate.
It's amazingly powerful. Here's a demo - seeing is believing!
AmazonQSlackGatewayDemo.mp4
It's easy to deploy in your own AWS Account, and add to your own Slack Workspace. We show you how below.
- In DMs it responds to all messages
- In channels it responds only to @mentions, and always replies in thread
- Renders answers containing markdown - e.g. headings, lists, bold, italics, tables, etc.
- Provides thumbs up / down buttons to track user sentiment and help improve performance over time
- Provides Source Attribution - see references to sources used by Amazon Q Business
- Aware of conversation context - it tracks the conversation and applies context
- Process up to 5 attached files for document question answering, summaries, etc.
- Reset and start new conversation in DM channel by using
/new_conversation
This sample Amazon Q slack application is provided as open source — use it as a starting point for your own solution, and help us make it better by contributing back fixes and features via GitHub pull requests. Explore the code, choose Watch to be notified of new releases, and check back for the latest updates.
Follow the instructions below to deploy the project to your own AWS account and Slack workspace, and start experimenting!
-
You need to have an AWS account and an IAM Role/User with permissions to create and manage the necessary resources and components for this application. (If you do not have an AWS account, please see How do I create and activate a new Amazon Web Services account?)
-
You need to have an Okta Workforce Identity Cloud account. If you haven't signed up yet, see Signing up for Okta
-
You need to configure SAML and SCIM with Okta and IAM Identity Center. If you haven't configured, see Configuring SAML and SCIM with Okta and IAM Identity Center
-
You also need to have an existing, working Amazon Q business application integrated with IdC. If you haven't set one up yet, see Creating an Amazon Q application
-
You need to have users subscribed to your Amazon Q business application, and are able to access Amazon Q Web Experience. If you haven't set one up yet, see Subscribing users to an Amazon Q application
-
You have aws cli latest version installed on your Linux or MacOS system. If you haven't installed yet, see Installing the AWS CLI version 2
Create the client as a 'Web app'. You will want to enable the 'Refresh Token' grant type, 'Allow everyone in your organization to access', and 'Federation Broker Mode'. Use a placeholder URL, like https://example.com
, for the redirect URI, as you will update this later (in step 3).
Also verify that administrators are given ability to configure the Interaction Code grant type for apps and authorization servers. This is done in Okta under Settings > Account in the "Embedded widget sign-in support" panel. If "Interaction Code" is not enabled, select "Edit" and enable the option. Then browse to Security > API in Okta and verify that an authorization server is configured and that it has an Access Policy active with a Rule that has the "Interaction Code" grant type checked.
Create trusted token issuer to trust tokens your Okta tenant using these instructions listed here - https://docs.aws.amazon.com/singlesignon/latest/userguide/using-apps-with-trusted-token-issuer.html. Or you can run the below script.
For the script, you need to have the OIDC issuer URL and the AWS region in which you have your Q business application. To retrieve the OIDC issuer URL, go to Okta account console, click the left hamburger menu and open Security > API and copy the whole 'Issuer URI'. The IAM IdC region is typically the same region where your Amazon Q Business application has been created but that is not a requirement.
The script will output trusted token issuer ARN (TTI_ARN) which you will use in the next step.
export AWS_DEFAULT_REGION=<>
OIDC_ISSUER_URL=<>
AWS_IDC_REGION=<>
bin/create-trusted-token-issuer.sh $OIDC_ISSUER_URL $AWS_IDC_REGION
Create customer managed application in IAM Identity Center(IdC) by running below script.
For the script, you need to have the OIDC client ID, trusted token issuer ARN, and the region in which you have your Q business application. To retrieve the OIDC client ID, go to Okta account console, click the left hamburger menu and open Applications > Applications and click on the application you created in step 1.1. Copy the 'Client ID'. For TTI_ARN, you can use the output from the previous step.
The script will output the gateway IdC application ARN (GATEWAY_IDC_ARN) which you will use in the next step.
export AWS_DEFAULT_REGION=<>
OIDC_CLIENT_ID=<>
TTI_ARN=<>
AWS_IDC_REGION=<>
bin/create-idc-application.sh $OIDC_CLIENT_ID $TTI_ARN $AWS_IDC_REGION
We've made this easy by providing pre-built AWS CloudFormation templates that deploy everything you need in your AWS account.
If you are a developer, and you want to build, deploy and/or publish the solution from code, we've made that easy too! See Developer README
- Log into the AWS console if you are not already.
- Choose one of the Launch Stack buttons below for your desired AWS region to open the AWS CloudFormation console and create a new stack.
- Enter the following parameters:
Stack Name
: Name your App, e.g. AMAZON-Q-SLACK-GATEWAY.AmazonQAppId
: Your existing Amazon Q Application ID (copy from Amazon Q console).AmazonQRegion
: Choose the region where you created your Amazon Q Application.OIDCIdPName
: The name of the OIDC external identity provider. Specify 'Okta'. Cognito is also supported.OIDCClientId
: The client ID of OIDC client you created in step 1.1.OIDCIssuerURL
: The issuer URL of the OIDC client you created in step 1.1.GatewayIdCAppARN
: The application arn of IdC customer managed application you created in step 1.3.AWSIAMIdCRegion
: The AWS region where the AWS IAM IdC instance is deployed.ContextDaysToLive
: Just leave this as the default (90 days)
Region | Easy Deploy Button | Template URL - use to upgrade existing stack to a new release |
---|---|---|
N. Virginia (us-east-1) | https://s3.us-east-1.amazonaws.com/aws-ml-blog-us-east-1/artifacts/amazon-q-slack-gateway/AmazonQSlackGateway.json | |
Oregon (us-west-2) | https://s3.us-west-2.amazonaws.com/aws-ml-blog-us-west-2/artifacts/amazon-q-slack-gateway/AmazonQSlackGateway.json |
When your CloudFormation stack status is CREATE_COMPLETE, choose the Outputs tab, and keep it open - you'll need it below.
Go the app client settings created in Okta (in step 1.1), and update the client redirect URL with exported value in CloudFormation stack for OIDCCallbackEndpointExportedName
.
Now you can create your new app in Slack!
NOTE: If you have deployed the Slack data source connector for Amazon Q you may already have an existing Slack app installed. Do not attempt to modify that data source connector app - create a new app instead.
- Create a Slack app: https://api.slack.com/apps from the generated manifest - copy / paste from the stack output:
SlackAppManifest
. - Go to
App Home
, scroll down to the sectionShow Tabs
and enableMessage Tab
then check the boxAllow users to send Slash commands and messages from the messages tab
- This is a required step to enable your user to send messages to your app
Let's now add your app into your workspace, this is required to generate the Bot User OAuth Token
value that will be needed in the next step
- Go to OAuth & Permissions (in api.slack.com) and click
Install to Workspace
, this will generate the OAuth token - In Slack, go to your workspace
- Click on your workspace name > Tools and settings > Manage apps
- Click on your newly created app
- In the right pane, click on "Open in App Directory"
- Click "Open in Slack"
4.3.1 Configure your Slack secrets in order to (1) verify the signature of each request, (2) post on behalf of your bot
IMPORTANT In this example we are not enabling Slack token rotation. Enable it for a production app by implementing rotation via AWS Secrets Manager. Please create an issue (or, better yet, a pull request!) in this repo if you want this feature added to a future version.
- Login to your AWS console
- In your AWS account go to Secret manager, using the URL shown in the stack output ending with name:
SlackSecretConsoleUrl
. - Choose
Retrieve secret value
- Choose
Edit
- Replace the value of
Signing Secret
* andBot User OAuth Token
, you will find those values in the Slack application configuration underBasic Information
andOAuth & Permissions
. *(Pro tip: Be careful you don't accidentally copy 'Client Secret' (wrong) instead of 'Signing Secret' (right)!)
- Login to your AWS console
- In your AWS account go to Secret manager, using the URL shown in the stack output ending with name:
OIDCClientSecretConsoleUrl
. - Choose
Retrieve secret value
- Choose
Edit
- Replace the value of
OidcClientSecret
, you will find the value in the Okta app client settings (step 1.1).
Time to say Hi!
- Go to Slack
- Under Apps > Manage, add your new Amazon Q app
- Optionally add your app to team channels
- In the app DM channel, say Hello. In a team channel, ask it for help with an @mention.
- You'll be prompted to Sign In with your Okta credentials to authenticate with Amazon Q. Click the button to sign in.
- You'll be redirected to browser to sign in with Okta. Once you sign in, you can close the browser window and return to Slack.
- You're now authenticated and can start asking questions!
- Enjoy.
We welcome your contributions to our project. Whether it's a bug report, new feature, correction, or additional documentation, we greatly value feedback and contributions from our community.
See CONTRIBUTING for more information.
See Security issue notifications for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.