GenAI tools like ChatGPT are now widely used - for private purposes. In an enterprise context, the requirements for building a GenAI chatbot are more complex. Source data must be securely integrated into the chatbot. The data must not be shared with other companies using the same GenAI platform of for training the model. User permissions must be supported so that restricted data is not shared with employees who should not have access to it.
Amazon Q Business is an AWS service that meets these requirements and enables businesses to easily build chatbots and GenAI assistants. Connectors are available to integrate various enterprise applications with Amazon Q Business. Confluence integration is one of the connectors available out of the box. It can import Confluence data into Q Business while respecting user-specific permissions.
This blog post shows how to integrate Confluence with Amazon Q Business and demonstrates that Q Business really respects permissions - it doesn't leak data to unauthorized users or employees.
Prerequisites
Amazon Q Business requires AWS IAM Identity Center for managed users. Therefore, set up IAM Identity Center first. The Identity Center instance must be set up in the same region as Q Business. Since Q Business is only available in the us-east-1 and us-west-2 regions, you must create AWS IAM Identity Center in one of these regions. If you have already configured IAM Identity Center in a different region, you must delete it and recreate it in one of the matching regions.
In addition, Q and the Confluence must use the same user data, otherwise the permissions won't work. Confluence can also be integrated with AWS IAM Identity Center, so you can use single sign-on for Q and Confluence. To do this, first set up AWS IAM Identity Center as the identity provider for Confluence.
Getting started: Create a Confluence API key
To integrate Confluence with Amazon Q Business, create an API key for one of your Admin users. They will have access to all content necessary to crawl the entire Confluence instance. For production use, you would use a technical user.
If you are using Confluence SaaS, go to the following URL to create a new API key: https://id.atlassian.com/manage-profile/security/api-tokens
Copy the API key to Secrets Manager
Q can use API keys that are stored in Secrets Manager. So create a new secret, select "other type of secret". Add the following attributes:
- username: email of your confluence user
- password: API key
- hostUrl: Confluence URL
Enter a secret name that begins with QBusiness-
. Only secrets that start with this name can be used in Q.
Create your Amazon Q Business application
Open Q Business in your AWS console and create a new application.
Enter the name of your application, such as AmazonQ
, and then press "Next".
Configure the retrievers that will fetch data from the data source. If this is a proof of concept, select "Starter" and choose "1" unit.
Add the Confluence data source
Select the Confluence data source from the list of data sources.
Enter a name for the data source and specify the source type (cloud or on-premises) and URL.
Select "Basic authentication" and choose the secret you created earlier.
Let's create a new service role, which is a recommended option.
Select the sync scope - select "Pages" as the minimum option to transfer Confluence pages to Q.
Next, choose how often you want Q to sync your Confluence data. In the case of a proof of connect, "Run on demand" is sufficient to avoid costs.
User configuration
Select some AWS IAM Identity Center users who should have access to Q Business and select the subscription. Since there is a monthly fee after the free trial, check the pricing when selecting the subscription.
Now you are ready to use Amazon Q Business.
Prepare Confluence test data
To test the permissions feature in Amazon Q, create a Confluence page with restricted access. Only users who have access to the page in Confluence will be able to use the information in Q Business. In this example, only "User One" has access to the page.
Create a sample content for the new page.
Sync data source
Open the Q Business application, select the data source, and choose "Sync Now" to synchronize the data.
This will take a few minutes - Q Business will show the sync status in the meantime.
Debugging Amazon Q Business
In the "Sync run history" there is a link to view the sync log in CloudWatch Logs. Again, it takes a few minutes for the log to be available.
The log information is useful in case Q Business doesn't work as expected. In my first test, Q Business only worked for the first user (with API key). I was able to analyze the behavior in the Cloudwatch logs.
Q Business uses API calls like this: https://jumic-q.atlassian.net/wiki/rest/api/content/1310724/restriction/byOperation/read?&limit=200&start=0
In my case, the email attribute was empty because my first user was set up manually. I claimed it in the Confluence organization, then it worked.
Final test - Does Q Business handle permissions correctly?
First, let's test with "User Two". This user doesn't have access to the sample car information page.
Is it possible to leak the information in Q Business? No - Amazon Q responds that it can't find any relevant information.
Positive test - Can User One ask questions about the company car policy? Yes, it works because he is authorized in Confluence. Q Business works as expected.
Summary
Amazon Q Business with Confluence works really well. You can create a chatbot / AI assistant without programming - really cool. The security features are also great. It's good to see that Q Business doesn't leak information to unauthorized users. It only shows information when users are authorized in Confluence. In addition, Q Business also the source pages in their answers. That's useful for double-checking each result to make sure the results are correct.
Are there alternatives to Amazon Q Business? Atlassian has introduced its own GenAI functionality in Confluence. It's called Atlassian Intelligence. It can summarize pages or answer questions about the Confluence content. If you only need GenAI capabilities for Confluence, this feature might be sufficient.
Why still use Amazon Q Business? Q Business can connect to many other business applications such as MS SharePoint, MS Teams, Slack, databases or even S3 buckets. Users don't need to know in which source system the information is stored in. They can just ask Q Business, which uses information from all these source systems - which is more powerful.