How to build an enterprise chatbot with Amazon Q Business to integrate Confluence data

Julian Michel - Jul 9 - - Dev Community

GenAI tools like ChatGPT are now widely used - for private purposes. In an enterprise context, the requirements for building a GenAI chatbot are more complex. Source data must be securely integrated into the chatbot. The data must not be shared with other companies using the same GenAI platform of for training the model. User permissions must be supported so that restricted data is not shared with employees who should not have access to it.

Amazon Q Business is an AWS service that meets these requirements and enables businesses to easily build chatbots and GenAI assistants. Connectors are available to integrate various enterprise applications with Amazon Q Business. Confluence integration is one of the connectors available out of the box. It can import Confluence data into Q Business while respecting user-specific permissions.

This blog post shows how to integrate Confluence with Amazon Q Business and demonstrates that Q Business really respects permissions - it doesn't leak data to unauthorized users or employees.

Prerequisites

Amazon Q Business requires AWS IAM Identity Center for managed users. Therefore, set up IAM Identity Center first. The Identity Center instance must be set up in the same region as Q Business. Since Q Business is only available in the us-east-1 and us-west-2 regions, you must create AWS IAM Identity Center in one of these regions. If you have already configured IAM Identity Center in a different region, you must delete it and recreate it in one of the matching regions.

In addition, Q and the Confluence must use the same user data, otherwise the permissions won't work. Confluence can also be integrated with AWS IAM Identity Center, so you can use single sign-on for Q and Confluence. To do this, first set up AWS IAM Identity Center as the identity provider for Confluence.

Getting started: Create a Confluence API key

To integrate Confluence with Amazon Q Business, create an API key for one of your Admin users. They will have access to all content necessary to crawl the entire Confluence instance. For production use, you would use a technical user.

If you are using Confluence SaaS, go to the following URL to create a new API key: https://id.atlassian.com/manage-profile/security/api-tokens

Confluence: Create API key

Next, copy the API key.
Confluence: Copy API key

Copy the API key to Secrets Manager

Q can use API keys that are stored in Secrets Manager. So create a new secret, select "other type of secret". Add the following attributes:

  • username: email of your confluence user
  • password: API key
  • hostUrl: Confluence URL

Enter a secret name that begins with QBusiness-. Only secrets that start with this name can be used in Q.

New Secrets Manager Secret for Q Business

Create your Amazon Q Business application

Open Q Business in your AWS console and create a new application.

Create a new Q Business application

Enter the name of your application, such as AmazonQ, and then press "Next".

Application properties

Configure the retrievers that will fetch data from the data source. If this is a proof of concept, select "Starter" and choose "1" unit.

Q Retrievers

Add the Confluence data source

Select the Confluence data source from the list of data sources.

Confluence data source

Enter a name for the data source and specify the source type (cloud or on-premises) and URL.

Confluence data source properites

Select "Basic authentication" and choose the secret you created earlier.

Confluence authentication

Let's create a new service role, which is a recommended option.

IAM service role

Select the sync scope - select "Pages" as the minimum option to transfer Confluence pages to Q.

Crawler scope

Next, choose how often you want Q to sync your Confluence data. In the case of a proof of connect, "Run on demand" is sufficient to avoid costs.

Sync interval

User configuration

Select some AWS IAM Identity Center users who should have access to Q Business and select the subscription. Since there is a monthly fee after the free trial, check the pricing when selecting the subscription.

Now you are ready to use Amazon Q Business.

User configuration

Prepare Confluence test data

To test the permissions feature in Amazon Q, create a Confluence page with restricted access. Only users who have access to the page in Confluence will be able to use the information in Q Business. In this example, only "User One" has access to the page.

Confluence demo page - permissions

Create a sample content for the new page.

Confluence demo page - content

Sync data source

Open the Q Business application, select the data source, and choose "Sync Now" to synchronize the data.

Sync status

This will take a few minutes - Q Business will show the sync status in the meantime.

Detailed sync status

Debugging Amazon Q Business

In the "Sync run history" there is a link to view the sync log in CloudWatch Logs. Again, it takes a few minutes for the log to be available.

The log information is useful in case Q Business doesn't work as expected. In my first test, Q Business only worked for the first user (with API key). I was able to analyze the behavior in the Cloudwatch logs.

Sync status - CloudWatch logs integration

Q Business uses API calls like this: https://jumic-q.atlassian.net/wiki/rest/api/content/1310724/restriction/byOperation/read?&limit=200&start=0

In my case, the email attribute was empty because my first user was set up manually. I claimed it in the Confluence organization, then it worked.
Confluence API

Final test - Does Q Business handle permissions correctly?

First, let's test with "User Two". This user doesn't have access to the sample car information page.

Restricted confluence page

Is it possible to leak the information in Q Business? No - Amazon Q responds that it can't find any relevant information.

Q Business shows no result

Positive test - Can User One ask questions about the company car policy? Yes, it works because he is authorized in Confluence. Q Business works as expected.

Q Business shows results

Summary

Amazon Q Business with Confluence works really well. You can create a chatbot / AI assistant without programming - really cool. The security features are also great. It's good to see that Q Business doesn't leak information to unauthorized users. It only shows information when users are authorized in Confluence. In addition, Q Business also the source pages in their answers. That's useful for double-checking each result to make sure the results are correct.

Are there alternatives to Amazon Q Business? Atlassian has introduced its own GenAI functionality in Confluence. It's called Atlassian Intelligence. It can summarize pages or answer questions about the Confluence content. If you only need GenAI capabilities for Confluence, this feature might be sufficient.

Why still use Amazon Q Business? Q Business can connect to many other business applications such as MS SharePoint, MS Teams, Slack, databases or even S3 buckets. Users don't need to know in which source system the information is stored in. They can just ask Q Business, which uses information from all these source systems - which is more powerful.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .