Arrange a customized plugin on Amazon Q Enterprise and authenticate with Amazon Cognito to work together with backend methods

Companies are consistently evolving, and leaders are challenged every single day to satisfy new necessities and are searching for methods to optimize their operations and achieve a aggressive edge. One of many key challenges they face is managing the complexity of disparate enterprise methods and workflows, which ends up in inefficiencies, information silos, and missed alternatives.

Generative AI can play an vital function in integrating these disparate methods in a safe and seamless method, addressing these challenges in a cheap approach. This integration permits for safe and environment friendly information change, motion triggering, and enhanced productiveness throughout the group. Amazon Q Business performs an vital function in making this occur. Amazon Q Enterprise permits organizations to shortly and effortlessly analyze their information, uncover insights, and make data-driven selections. With its intuitive interface and seamless integration with different AWS companies, Amazon Q Enterprise empowers companies of various sizes to remodel their information into actionable intelligence and drive innovation throughout their operations.

On this submit, we reveal learn how to construct a customized plugin with Amazon Q Enterprise for backend integration. This plugin can combine current methods, together with third-party methods, with little to no growth in simply weeks and automate essential workflows. Moreover, we present learn how to safeguard the answer utilizing Amazon Cognito and AWS IAM Identity Center, sustaining the protection and integrity of delicate information and workflows. Amazon Q Enterprise additionally affords utility environment guardrails or chat controls which you could configure to regulate the end-user chat expertise so as to add an extra layer of security. Lastly, we present learn how to expose your backend APIs by means of Amazon API Gateway, which is constructed on serverless AWS Lambda capabilities and Amazon DynamoDB.

Answer overview

Amazon Q Enterprise is a completely managed, generative AI-powered assistant that helps enterprises unlock the worth of their information and data. With Amazon Q Enterprise, you possibly can shortly discover solutions to questions, generate summaries and content material, and full duties through the use of the data and experience saved throughout your organization’s numerous information sources and enterprise methods. On the core of this functionality are built-in information supply connectors and customized plugins that seamlessly combine and index content material from a number of repositories right into a unified index. This permits the Amazon Q Enterprise giant language mannequin (LLM) to supply correct, well-written solutions by drawing from the consolidated information and knowledge. The information supply connectors act as a bridge, synchronizing content material from disparate methods like Salesforce, Jira, and SharePoint right into a centralized index that powers the pure language understanding and generative talents of Amazon Q Enterprise. Amazon Q Enterprise additionally gives the aptitude to create customized plugins to combine along with your group’s backend system and third-party purposes.

After you combine Amazon Q Enterprise along with your backend system utilizing a customized plugin, customers can ask questions from paperwork which are uploaded in Amazon Simple Storage Service (Amazon S3). For this submit, we use a easy doc that accommodates product names, descriptions, and different associated info. Among the questions you possibly can ask Amazon Q Enterprise would possibly embody the next:

• “Give me the identify of the merchandise.”
• “Now listing all of the merchandise together with the outline in tabular format.”
• “Now create one of many merchandise <product identify>.” (At this stage, Amazon Q Enterprise would require you to authenticate in opposition to Amazon Cognito to be sure you have the correct permission to work on that utility.)
• “Record all of the merchandise together with ID and worth in tabular format.”
• “Replace the value of product with ID <product ID>.”

The next diagram illustrates the answer structure.

The workflow consists of the next steps:

1. The consumer asks a query utilizing the Amazon Q Enterprise chat interface.
2. Amazon Q Enterprise searches the listed doc in Amazon S3 for related info and presents it to the consumer.
3. The consumer can use the plugin to carry out actions (API calls) within the system uncovered to Amazon Q Enterprise utilizing Open API 3.x standards.
4. As a result of the API is secured with Amazon Cognito, Amazon Q Enterprise requires the consumer to authenticate in opposition to the consumer credentials obtainable in Amazon Cognito.
5. On profitable authentication, API Gateway forwards the request to Lambda.
6. The API response is returned to the consumer by means of the Amazon Q Enterprise chat interface.

Conditions

Earlier than you start the walkthrough, you will need to have an AWS account. Should you don’t have one, sign up for one. Moreover, you will need to have entry to the next companies:

• Amazon API Gateway
• AWS CloudFormation
• Amazon Cognito
• Amazon DynamoDB
• AWS IAM Identification Middle
• AWS Lambda
• Amazon Q Enterprise Professional (This can have an extra monthly cost)
• Amazon S3

Launch the CloudFormation template

Launch the next CloudFormation template to arrange Amazon Cognito, API Gateway, DynamoDB, and Lambda assets.

After you deploy the stack, navigate to the Outputs tab for the stack on the AWS CloudFormation console and notice the useful resource particulars. We use these values later on this submit.

Should you’re operating the CloudFormation template a number of occasions, be certain that to decide on a singular identify for the stack every time.

Create an Amazon Q Enterprise utility

Full the next steps to create an Amazon Q Enterprise utility:

1. On the Amazon Q Enterprise console, select Functions within the navigation pane.
2. Select Create utility.

3. Present an utility identify (for instance, product-mgmt-app).
4. Depart the opposite settings as default and select Create.

The applying will likely be created in a number of seconds.

5. On the appliance particulars web page, select Knowledge supply.
6. Select Add an index.
7. For Index identify, enter a reputation for the index.
8. For Index provisioning, choose Enterprise or Starter.
9. For Variety of items, depart because the default 1.
10. Select Add an index.

11. On the Knowledge supply web page, select Add a knowledge supply.
12. Select Amazon S3 as your information supply and enter a singular identify.
13. Enter the info supply location as the worth of BucketName from the CloudFormation stack outputs within the format s3://<name_here>.

In a later step, we add a file to this S3 bucket.

14. For IAM function¸ select Create a brand new service function (advisable).
15. For Sync scope, choose Full sync.
16. For Frequency, choose Run on demand.
17. Select Add information supply.
18. On the appliance particulars web page, select Handle consumer entry.
19. Select Add teams and customers.
20. You should utilize current customers or teams in IAM Identification Middle or create new customers and teams, then select Verify.

Solely these teams and customers have entry to the Amazon Q Enterprise utility for his or her subscriptions.

21. Pay attention to deployed URL of the appliance to make use of in a later step.
22. On the Amazon S3 console, find the S3 bucket you famous earlier and add the sample document.
23. On the Amazon Q Enterprise console, navigate to the appliance particulars web page and sync the Amazon S3 information supply.

Configure Amazon Cognito

Full the next steps to arrange Amazon Cognito:

1. On the Amazon Cognito console, navigate to the consumer pool created utilizing the CloudFormation template (ending with-ProductUserPool).
2. Beneath Branding within the navigation pane, select Area.
3. On the Actions menu, select Create Cognito area.

We didn’t create a site once we created the consumer pool utilizing the CloudFormation template.

4. For Cognito area, enter a site prefix.
5. For Model, choose Hosted UI.
6. Select Create Cognito area.

7. Beneath Functions within the navigation pane, select App purchasers.
8. Select your app shopper.

9. On the app shopper element web page, select Login pages after which select Edit the managed login pages configuration.
10. For URL, enter the deployed URL you famous earlier, adopted by /oauth/callback. For instance, https://xxxxx.chat.qbusiness.us-east-1.on.aws/oauth/callback.
11. Specify your id supplier, OAuth 2.0 grant kind, OpenID Join scopes, and customized scopes.

Customized scopes are outlined as a part of the API configuration in API Gateway. This can assist Amazon Q Enterprise decide what motion a consumer is allowed to take. On this case, we’re permitting the consumer to learn, write, and delete. Nonetheless, you possibly can change this primarily based on what you need your customers to do utilizing the Amazon Q Enterprise chat.

12. Select Save modifications.

13. Pay attention to the Consumer ID and Consumer secret values within the App shopper info part to make use of in a later step.

Amazon Cognito doesn’t help altering the shopper secret after you will have created the app shopper; a brand new app shopper is required if you wish to change the shopper secret.

Lastly, it’s a must to add a minimum of one consumer to the Amazon Cognito consumer pool.

14. Select Customers beneath Consumer administration within the navigation pane and select Create consumer.
15. Create a consumer so as to add to your Amazon Cognito consumer pool.

We’ll use this consumer to authenticate earlier than we will chat and ask inquiries to the backend system utilizing Amazon Q Enterprise.

Create an Amazon Q Enterprise customized plugin

Full the next steps to create your customized plugin:

1. On the Amazon Q Enterprise console, navigate to the appliance you created.
2. Beneath Actions within the navigation pane, select Plugins
3. Select Add plugin.

4. Choose Create customized plugin.
5. Present a plugin identify (for instance, Merchandise).
6. Beneath API schema supply, choose Outline with in-line OpenAPI schema editor and enter the next code:

openapi: 3.0.0
data:
  title: CRUD API
  model: 1.0.0
  description: API for performing CRUD operations
servers:
  - url: put api gateway endpoint url right here, copy it from cloudformation output
    
paths:
  /merchandise:
    get:
      abstract: Record all merchandise
      safety:
        - OAuth2:
            - merchandise/learn
      description: Returns an inventory of all obtainable merchandise
      responses:
        '200':
          description: Profitable response
          content material:
            utility/json:
              schema:
                kind: array
                gadgets:
                  $ref: '#/elements/schemas/Product'
        '500':
          description: Inside server error
          content material:
            utility/json:
              schema:
                $ref: '#/elements/schemas/Error'
    submit:
      abstract: Create a brand new product
      safety:
        - OAuth2:
            - merchandise/write
      description: Creates a brand new product
      requestBody:
        required: true
        content material:
          utility/json:
            schema:
              $ref: '#/elements/schemas/Product'
      responses:
        '201':
          description: Created
          content material:
            utility/json:
              schema:
                $ref: '#/elements/schemas/Product'
        '400':
          description: Dangerous Request
          content material:
            utility/json:
              schema:
                $ref: '#/elements/schemas/Error'
        '500':
          description: Inside server error
          content material:
            utility/json:
              schema:
                $ref: '#/elements/schemas/Error'
  /merchandise/{id}:
    get:
      abstract: Get a product
      safety:
        - OAuth2:
            - merchandise/learn
      description: Retrieves a particular product by its ID
      parameters:
        - identify: id
          in: path
          required: true
          description: The ID of the product to retrieve
          schema:
            kind: string
      responses:
        '200':
          description: Profitable response
          content material:
            utility/json:
              schema:
                $ref: '#/elements/schemas/Product'
        '404':
          description: Product not discovered
          content material:
            utility/json:
              schema:
                $ref: '#/elements/schemas/Error'
        '500':
          description: Inside server error
          content material:
            utility/json:
              schema:
                $ref: '#/elements/schemas/Error'
    put:
      abstract: Replace a product
      safety:
        - OAuth2:
            - merchandise/write
      description: Updates an current product
      parameters:
        - identify: id
          in: path
          required: true
          description: The ID of the product to replace
          schema:
            kind: string
      requestBody:
        required: true
        content material:
          utility/json:
            schema:
              $ref: '#/elements/schemas/Product'
      responses:
        '200':
          description: Profitable response
          content material:
            utility/json:
              schema:
                $ref: '#/elements/schemas/Product'
        '404':
          description: Product not discovered
          content material:
            utility/json:
              schema:
                $ref: '#/elements/schemas/Error'
        '500':
          description: Inside server error
          content material:
            utility/json:
              schema:
                $ref: '#/elements/schemas/Error'
    delete:
      abstract: Delete a product
      safety:
        - OAuth2:
            - merchandise/delete
      description: Deletes a particular product by its ID
      parameters:
        - identify: id
          in: path
          required: true
          description: The ID of the product to delete
          schema:
            kind: string
      responses:
        '204':
          description: Profitable response
        '404':
          description: Product not discovered
          content material:
            utility/json:
              schema:
                $ref: '#/elements/schemas/Error'
        '500':
          description: Inside server error
          content material:
            utility/json:
              schema:
                $ref: '#/elements/schemas/Error'
elements:
  securitySchemes:
    OAuth2:
      kind: oauth2
      flows:
        authorizationCode:
          authorizationUrl: <Cognito area>/oauth2/authorize
          tokenUrl: <Cognito area>/oauth2/token
          scopes:
            merchandise/learn: learn prodcut
            merchandise/write: write prodcut
            merchandise/delete: delete prodcut
  schemas:
    Product:
      kind: object
      required:
        - id
        - identify
        - description
      properties:
        id:
          kind: string
        identify:
          kind: string
        description:
          kind: string
    Error:
      kind: object
      properties:
        error:
          kind: string

7. Within the YAML file, change the URL worth with the worth of ProductAPIEndpoint from the CloudFormation stack outputs:

servers url: https://<<xxxx>>.execute-api.us-east-1.amazonaws.com/dev

8. Change the Amazon Cognito area URL with the area you created earlier:

authorizationCode:

authorizationUrl: https://xxxx.auth.us-east1.amazoncognito.com/oauth2/authorize

tokenUrl: https://xxxx.auth.us-east-1.amazoncognito.com/oauth2/token

The YAML file accommodates the schema (Open API 3.x) that Amazon Q Enterprise makes use of to resolve which API must be referred to as primarily based on the outline. For instance, line 16 within the following screenshot says Return an inventory all obtainable merchandise, which instructs Amazon Q Enterprise to name this API each time a consumer makes a request to listing all merchandise.

9. For authentication, choose Authentication required.
10. For AWS Secrets and techniques Supervisor secret, select Create and add new secret and enter the shopper ID and shopper secret you saved earlier, and enter the callback URL the identical approach as you probably did for the Amazon Cognito host UI (https://<>.chat.qbusiness.<<area>>.on.aws/oauth/callback).
11. For Select a way to authorize Amazon Q Enterprise, select Create and use a brand new service function.
12. Select Create plugin.

The final step is to allow the chat orchestration characteristic so Amazon Q Enterprise can choose the plugin robotically.

13. On the customized plugin particulars web page, select Admin controls and guardrails beneath Enhancements within the navigation pane.
14. Within the International controls part, select Edit.

15. Choose Permit Amazon Q Enterprise to robotically orchestrate chat queries throughout plugins and information sources, then select Save.

Configure API Gateway, Lambda, and DynamoDB assets

All the things associated to API Gateway, Lambda, and DynamoDB is already configured utilizing the CloudFormation template. Particulars can be found on the Outputs tab of the stack particulars web page. You may also overview the main points of the Lambda operate and DynamoDB desk on their respective service consoles. To learn the way the Lambda operate is uncovered as an API by means of API Gateway, overview the main points on the API Gateway console.

Chat with Amazon Q Enterprise

Now you’re prepared to talk with Amazon Q Enterprise.

1. On the Amazon Q Enterprise console, navigate to your utility.
2. Select the hyperlink for Deployed URL.
3. Authenticate utilizing IAM Identification Middle (that is to be sure you have entry to Amazon Q Enterprise Professional).

Now you can ask questions in pure language.

Within the following instance, we examine if Amazon Q Enterprise is ready to entry the info from the S3 bucket by asking “Record all of the merchandise and their description in a desk.”

After the product descriptions can be found, begin chatting and ask questions like Are you able to create product <product identify> with similar description please?. Alternatively, you possibly can create a brand new product that isn’t listed within the pattern doc uploaded in Amazon S3. Amazon Q Enterprise will robotically choose the correct plugin (on this case, Merchandise).

Subsequent requests for API calls to undergo the customized plugin will ask you to authorize your entry. Select Authorize and authenticate with the consumer credentials created in Amazon Cognito earlier. After you’re authenticated, Amazon Q Enterprise will cache the session token for subsequent API calls and full the request.

You may question on the merchandise which are obtainable within the backend by asking questions like the next:

• Are you able to please listing all of the merchandise?
• Delete a product by ID or by identify.
• Create a brand new product with the identify 'Gloves' and outline as 'Soccer gloves' with automated in-built cooling

Primarily based on the previous immediate, a product has been created within the merchandise desk in DynamoDB.

Value issues

The price of establishing this resolution is predicated on the value of the person AWS companies getting used. Costs of these companies can be found on the person service pages. The one obligatory price is the Amazon Q Enterprise Professional license. For extra info, see Amazon Q Business pricing.

Clear up

Full the next steps to wash up your assets:

1. Delete the CloudFormation stack. For directions, check with Deleting a stack on the AWS CloudFormation console.
2. Delete the Amazon Q Enterprise utility.
3. Delete the Amazon Cognito consumer pool area.
4. Empty and delete the S3 bucket. For directions, check with Deleting a general purpose bucket.

Conclusion

On this submit, we explored how Amazon Q Enterprise can seamlessly combine with enterprise methods utilizing a customized plugin to assist enterprises unlock the worth of their information. We walked you thru the method of establishing the customized plugin, together with configuring the mandatory Amazon Cognito and authentication mechanisms.

With this tradition plugin, organizations can empower their staff to work effectively, solutions shortly, speed up reporting, automate workflows, and improve collaboration. You may ask Amazon Q Enterprise pure language questions and watch because it surfaces essentially the most related info out of your firm’s backend system and act on requests.

Don’t miss out on the transformative energy of generative AI and Amazon Q Enterprise. Join right now and expertise the distinction that Amazon Q Enterprise could make in your group’s workflow automation and the effectivity it brings.

In regards to the Authors

Shubhankar Sumar is a Senior Options Architect at Amazon Internet Providers (AWS), working with enterprise software program and SaaS prospects throughout the UK to assist architect safe, scalable, environment friendly, and cost-effective methods. He’s an skilled software program engineer, having constructed many SaaS options powered by generative AI. Shubhankar focuses on constructing multi-tenant methods on the cloud. He additionally works intently with prospects to convey generative AI capabilities to their SaaS purposes.

Dr. Anil Giri is a Options Architect at Amazon Internet Providers. He works with enterprise software program and SaaS prospects to assist them construct generative AI purposes and implement serverless architectures on AWS. His focus is on guiding purchasers to create progressive, scalable options utilizing cutting-edge cloud applied sciences.

Ankur Agarwal is a Principal Enterprise Architect at Amazon Internet Providers Skilled Providers. Ankur works with enterprise purchasers to assist them get essentially the most out of their funding in cloud computing. He advises on utilizing cloud-based purposes, information, and AI applied sciences to ship most enterprise worth.