Arrange a customized plugin on Amazon Q Enterprise and authenticate with Amazon Cognito to work together with backend techniques

Companies are consistently evolving, and leaders are challenged on daily basis to fulfill new necessities and are looking for methods to optimize their operations and achieve a aggressive edge. One of many key challenges they face is managing the complexity of disparate enterprise techniques and workflows, which ends up in inefficiencies, information silos, and missed alternatives.

Generative AI can play an vital function in integrating these disparate techniques in a safe and seamless method, addressing these challenges in a cheap method. This integration permits for safe and environment friendly information change, motion triggering, and enhanced productiveness throughout the group. Amazon Q Enterprise performs an vital function in making this occur. Amazon Q Enterprise allows organizations to rapidly and effortlessly analyze their information, uncover insights, and make data-driven choices. With its intuitive interface and seamless integration with different AWS companies, Amazon Q Enterprise empowers companies of various sizes to remodel their information into actionable intelligence and drive innovation throughout their operations.

On this put up, we exhibit how you can construct a customized plugin with Amazon Q Enterprise for backend integration. This plugin can combine present techniques, together with third-party techniques, with little to no growth in simply weeks and automate crucial workflows. Moreover, we present how you can safeguard the answer utilizing Amazon Cognito and AWS IAM Id Middle, sustaining the protection and integrity of delicate information and workflows. Amazon Q Enterprise additionally presents utility surroundings guardrails or chat controls you could configure to manage the end-user chat expertise so as to add a further layer of security. Lastly, we present how you can expose your backend APIs by means of Amazon API Gateway, which is constructed on serverless AWS Lambda capabilities and Amazon DynamoDB.

Answer overview

Amazon Q Enterprise is a totally managed, generative AI-powered assistant that helps enterprises unlock the worth of their information and data. With Amazon Q Enterprise, you possibly can rapidly discover solutions to questions, generate summaries and content material, and full duties by utilizing the knowledge and experience saved throughout your organization’s varied information sources and enterprise techniques. On the core of this functionality are built-in information supply connectors and customized plugins that seamlessly combine and index content material from a number of repositories right into a unified index. This allows the Amazon Q Enterprise massive language mannequin (LLM) to offer correct, well-written solutions by drawing from the consolidated information and knowledge. The info supply connectors act as a bridge, synchronizing content material from disparate techniques like Salesforce, Jira, and SharePoint right into a centralized index that powers the pure language understanding and generative skills of Amazon Q Enterprise. Amazon Q Enterprise additionally supplies the aptitude to create customized plugins to combine together with your group’s backend system and third-party functions.

After you combine Amazon Q Enterprise together with your backend system utilizing a customized plugin, customers can ask questions from paperwork which might be uploaded in Amazon Easy Storage Service (Amazon S3). For this put up, we use a easy doc that accommodates product names, descriptions, and different associated data. Among the questions you possibly can ask Amazon Q Enterprise would possibly embrace the next:

• “Give me the title of the merchandise.”
• “Now listing all of the merchandise together with the outline in tabular format.”
• “Now create one of many merchandise .” (At this stage, Amazon Q Enterprise would require you to authenticate in opposition to Amazon Cognito to be sure you have the best permission to work on that utility.)
• “Listing all of the merchandise together with ID and worth in tabular format.”
• “Replace the value of product with ID .”

The next diagram illustrates the answer structure.

The workflow consists of the next steps:

1. The person asks a query utilizing the Amazon Q Enterprise chat interface.
2. Amazon Q Enterprise searches the listed doc in Amazon S3 for related data and presents it to the person.
3. The person can use the plugin to carry out actions (API calls) within the system uncovered to Amazon Q Enterprise utilizing Open API 3.x requirements.
4. As a result of the API is secured with Amazon Cognito, Amazon Q Enterprise requires the person to authenticate in opposition to the person credentials accessible in Amazon Cognito.
5. On profitable authentication, API Gateway forwards the request to Lambda.
6. The API response is returned to the person by means of the Amazon Q Enterprise chat interface.

Conditions

Earlier than you start the walkthrough, you should have an AWS account. In the event you don’t have one, join one. Moreover, you should have entry to the next companies:

• Amazon API Gateway
• AWS CloudFormation
• Amazon Cognito
• Amazon DynamoDB
• AWS IAM Id Middle
• AWS Lambda
• Amazon Q Enterprise Professional (It will have a further month-to-month value)
• Amazon S3

Launch the CloudFormation template

Launch the next CloudFormation template to arrange Amazon Cognito, API Gateway, DynamoDB, and Lambda sources.

After you deploy the stack, navigate to the Outputs tab for the stack on the AWS CloudFormation console and notice the useful resource particulars. We use these values later on this put up.

In the event you’re working the CloudFormation template a number of instances, be sure to decide on a novel title for the stack every time.

Create an Amazon Q Enterprise utility

Full the next steps to create an Amazon Q Enterprise utility:

1. On the Amazon Q Enterprise console, select Functions within the navigation pane.
2. Select Create utility.

3. Present an utility title (for instance, product-mgmt-app).
4. Go away the opposite settings as default and select Create.

The applying shall be created in a number of seconds.

5. On the appliance particulars web page, select Information supply.
6. Select Add an index.
7. For Index title, enter a reputation for the index.
8. For Index provisioning, choose Enterprise or Starter.
9. For Variety of models, depart because the default 1.
10. Select Add an index.

11. On the Information supply web page, select Add a knowledge supply.
12. Select Amazon S3 as your information supply and enter a novel title.
13. Enter the info supply location as the worth of BucketName from the CloudFormation stack outputs within the format s3://.

In a later step, we add a file to this S3 bucket.

14. For IAM function¸ select Create a brand new service function (really useful).
15. For Sync scope, choose Full sync.
16. For Frequency, choose Run on demand.
17. Select Add information supply.
18. On the appliance particulars web page, select Handle person entry.
19. Select Add teams and customers.
20. You need to use present customers or teams in IAM Id Middle or create new customers and teams, then select Affirm.

Solely these teams and customers have entry to the Amazon Q Enterprise utility for his or her subscriptions.

21. Pay attention to deployed URL of the appliance to make use of in a later step.
22. On the Amazon S3 console, find the S3 bucket you famous earlier and add the pattern doc.
23. On the Amazon Q Enterprise console, navigate to the appliance particulars web page and sync the Amazon S3 information supply.

Configure Amazon Cognito

Full the next steps to arrange Amazon Cognito:

1. On the Amazon Cognito console, navigate to the person pool created utilizing the CloudFormation template (ending with-ProductUserPool).
2. Beneath Branding within the navigation pane, select Area.
3. On the Actions menu, select Create Cognito area.

We didn’t create a website once we created the person pool utilizing the CloudFormation template.

4. For Cognito area, enter a website prefix.
5. For Model, choose Hosted UI.
6. Select Create Cognito area.

7. Beneath Functions within the navigation pane, select App purchasers.
8. Select your app shopper.

9. On the app shopper element web page, select Login pages after which select Edit the managed login pages configuration.
10. For URL, enter the deployed URL you famous earlier, adopted by /oauth/callback. For instance, https://xxxxx.chat.qbusiness.us-east-1.on.aws/oauth/callback.
11. Specify your id supplier, OAuth 2.0 grant kind, OpenID Join scopes, and customized scopes.

Customized scopes are outlined as a part of the API configuration in API Gateway. It will assist Amazon Q Enterprise decide what motion a person is allowed to take. On this case, we’re permitting the person to learn, write, and delete. Nonetheless, you possibly can change this based mostly on what you need your customers to do utilizing the Amazon Q Enterprise chat.

12. Select Save adjustments.

13. Pay attention to the Shopper ID and Shopper secret values within the App shopper data part to make use of in a later step.

Amazon Cognito doesn’t assist altering the shopper secret after you may have created the app shopper; a brand new app shopper is required if you wish to change the shopper secret.

Lastly, you need to add at the very least one person to the Amazon Cognito person pool.

14. Select Customers beneath Consumer administration within the navigation pane and select Create person.
15. Create a person so as to add to your Amazon Cognito person pool.

We are going to use this person to authenticate earlier than we are able to chat and ask inquiries to the backend system utilizing Amazon Q Enterprise.

Create an Amazon Q Enterprise customized plugin

Full the next steps to create your customized plugin:

1. On the Amazon Q Enterprise console, navigate to the appliance you created.
2. Beneath Actions within the navigation pane, select Plugins
3. Select Add plugin.

4. Choose Create customized plugin.
5. Present a plugin title (for instance, Merchandise).
6. Beneath API schema supply, choose Outline with in-line OpenAPI schema editor and enter the next code:

openapi: 3.0.0
information:
  title: CRUD API
  model: 1.0.0
  description: API for performing CRUD operations
servers:
  - url: put api gateway endpoint url right here, copy it from cloudformation output
    
paths:
  /merchandise:
    get:
      abstract: Listing all merchandise
      safety:
        - OAuth2:
            - merchandise/learn
      description: Returns a listing of all accessible merchandise
      responses:
        '200':
          description: Profitable response
          content material:
            utility/json:
              schema:
                kind: array
                gadgets:
                  $ref: '#/parts/schemas/Product'
        '500':
          description: Inner server error
          content material:
            utility/json:
              schema:
                $ref: '#/parts/schemas/Error'
    put up:
      abstract: Create a brand new product
      safety:
        - OAuth2:
            - merchandise/write
      description: Creates a brand new product
      requestBody:
        required: true
        content material:
          utility/json:
            schema:
              $ref: '#/parts/schemas/Product'
      responses:
        '201':
          description: Created
          content material:
            utility/json:
              schema:
                $ref: '#/parts/schemas/Product'
        '400':
          description: Dangerous Request
          content material:
            utility/json:
              schema:
                $ref: '#/parts/schemas/Error'
        '500':
          description: Inner server error
          content material:
            utility/json:
              schema:
                $ref: '#/parts/schemas/Error'
  /merchandise/{id}:
    get:
      abstract: Get a product
      safety:
        - OAuth2:
            - merchandise/learn
      description: Retrieves a particular product by its ID
      parameters:
        - title: id
          in: path
          required: true
          description: The ID of the product to retrieve
          schema:
            kind: string
      responses:
        '200':
          description: Profitable response
          content material:
            utility/json:
              schema:
                $ref: '#/parts/schemas/Product'
        '404':
          description: Product not discovered
          content material:
            utility/json:
              schema:
                $ref: '#/parts/schemas/Error'
        '500':
          description: Inner server error
          content material:
            utility/json:
              schema:
                $ref: '#/parts/schemas/Error'
    put:
      abstract: Replace a product
      safety:
        - OAuth2:
            - merchandise/write
      description: Updates an present product
      parameters:
        - title: id
          in: path
          required: true
          description: The ID of the product to replace
          schema:
            kind: string
      requestBody:
        required: true
        content material:
          utility/json:
            schema:
              $ref: '#/parts/schemas/Product'
      responses:
        '200':
          description: Profitable response
          content material:
            utility/json:
              schema:
                $ref: '#/parts/schemas/Product'
        '404':
          description: Product not discovered
          content material:
            utility/json:
              schema:
                $ref: '#/parts/schemas/Error'
        '500':
          description: Inner server error
          content material:
            utility/json:
              schema:
                $ref: '#/parts/schemas/Error'
    delete:
      abstract: Delete a product
      safety:
        - OAuth2:
            - merchandise/delete
      description: Deletes a particular product by its ID
      parameters:
        - title: id
          in: path
          required: true
          description: The ID of the product to delete
          schema:
            kind: string
      responses:
        '204':
          description: Profitable response
        '404':
          description: Product not discovered
          content material:
            utility/json:
              schema:
                $ref: '#/parts/schemas/Error'
        '500':
          description: Inner server error
          content material:
            utility/json:
              schema:
                $ref: '#/parts/schemas/Error'
parts:
  securitySchemes:
    OAuth2:
      kind: oauth2
      flows:
        authorizationCode:
          authorizationUrl: /oauth2/authorize
          tokenUrl: /oauth2/token
          scopes:
            merchandise/learn: learn prodcut
            merchandise/write: write prodcut
            merchandise/delete: delete prodcut
  schemas:
    Product:
      kind: object
      required:
        - id
        - title
        - description
      properties:
        id:
          kind: string
        title:
          kind: string
        description:
          kind: string
    Error:
      kind: object
      properties:
        error:
          kind: string

7. Within the YAML file, substitute the URL worth with the worth of ProductAPIEndpoint from the CloudFormation stack outputs:

servers url: https://<>.execute-api.us-east-1.amazonaws.com/dev

8. Change the Amazon Cognito area URL with the area you created earlier:

authorizationCode:

authorizationUrl: https://xxxx.auth.us-east1.amazoncognito.com/oauth2/authorize

tokenUrl: https://xxxx.auth.us-east-1.amazoncognito.com/oauth2/token

The YAML file accommodates the schema (Open API 3.x) that Amazon Q Enterprise makes use of to determine which API must be known as based mostly on the outline. For instance, line 16 within the following screenshot says Return a listing all accessible merchandise, which instructs Amazon Q Enterprise to name this API each time a person makes a request to listing all merchandise.

9. For authentication, choose Authentication required.
10. For AWS Secrets and techniques Supervisor secret, select Create and add new secret and enter the shopper ID and shopper secret you saved earlier, and enter the callback URL the identical method as you probably did for the Amazon Cognito host UI (https://<>.chat.qbusiness.<>.on.aws/oauth/callback).
11. For Select a technique to authorize Amazon Q Enterprise, select Create and use a brand new service function.
12. Select Create plugin.

The final step is to allow the chat orchestration function so Amazon Q Enterprise can choose the plugin robotically.

13. On the customized plugin particulars web page, select Admin controls and guardrails beneath Enhancements within the navigation pane.
14. Within the International controls part, select Edit.

15. Choose Enable Amazon Q Enterprise to robotically orchestrate chat queries throughout plugins and information sources, then select Save.

Configure API Gateway, Lambda, and DynamoDB sources

The whole lot associated to API Gateway, Lambda, and DynamoDB is already configured utilizing the CloudFormation template. Particulars can be found on the Outputs tab of the stack particulars web page. You can too assessment the main points of the Lambda operate and DynamoDB desk on their respective service consoles. To learn the way the Lambda operate is uncovered as an API by means of API Gateway, assessment the main points on the API Gateway console.

Chat with Amazon Q Enterprise

Now you’re prepared to talk with Amazon Q Enterprise.

1. On the Amazon Q Enterprise console, navigate to your utility.
2. Select the hyperlink for Deployed URL.
3. Authenticate utilizing IAM Id Middle (that is to be sure you have entry to Amazon Q Enterprise Professional).

Now you can ask questions in pure language.

Within the following instance, we test if Amazon Q Enterprise is ready to entry the info from the S3 bucket by asking “Listing all of the merchandise and their description in a desk.”

After the product descriptions can be found, begin chatting and ask questions like Are you able to create product with similar description please?. Alternatively, you possibly can create a brand new product that isn’t listed within the pattern doc uploaded in Amazon S3. Amazon Q Enterprise will robotically choose the best plugin (on this case, Merchandise).

Subsequent requests for API calls to undergo the customized plugin will ask you to authorize your entry. Select Authorize and authenticate with the person credentials created in Amazon Cognito earlier. After you’re authenticated, Amazon Q Enterprise will cache the session token for subsequent API calls and full the request.

You possibly can question on the merchandise which might be accessible within the backend by asking questions like the next:

• Are you able to please listing all of the merchandise?
• Delete a product by ID or by title.
• Create a brand new product with the title 'Gloves' and outline as 'Soccer gloves' with automated in-built cooling

Primarily based on the previous immediate, a product has been created within the merchandise desk in DynamoDB.

Price issues

The price of organising this answer relies on the value of the person AWS companies getting used. Costs of these companies can be found on the person service pages. The one necessary value is the Amazon Q Enterprise Professional license. For extra data, see Amazon Q Enterprise pricing.

Clear up

Full the next steps to wash up your sources:

1. Delete the CloudFormation stack. For directions, confer with Deleting a stack on the AWS CloudFormation console.
2. Delete the Amazon Q Enterprise utility.
3. Delete the Amazon Cognito person pool area.
4. Empty and delete the S3 bucket. For directions, confer with Deleting a normal function bucket.

Conclusion

On this put up, we explored how Amazon Q Enterprise can seamlessly combine with enterprise techniques utilizing a customized plugin to assist enterprises unlock the worth of their information. We walked you thru the method of organising the customized plugin, together with configuring the required Amazon Cognito and authentication mechanisms.

With this practice plugin, organizations can empower their staff to work effectively, solutions rapidly, speed up reporting, automate workflows, and improve collaboration. You possibly can ask Amazon Q Enterprise pure language questions and watch because it surfaces essentially the most related data out of your firm’s backend system and act on requests.

Don’t miss out on the transformative energy of generative AI and Amazon Q Enterprise. Join as we speak and expertise the distinction that Amazon Q Enterprise could make on your group’s workflow automation and the effectivity it brings.

In regards to the Authors

Shubhankar Sumar is a Senior Options Architect at Amazon Internet Providers (AWS), working with enterprise software program and SaaS clients throughout the UK to assist architect safe, scalable, environment friendly, and cost-effective techniques. He’s an skilled software program engineer, having constructed many SaaS options powered by generative AI. Shubhankar focuses on constructing multi-tenant techniques on the cloud. He additionally works intently with clients to deliver generative AI capabilities to their SaaS functions.

Dr. Anil Giri is a Options Architect at Amazon Internet Providers. He works with enterprise software program and SaaS clients to assist them construct generative AI functions and implement serverless architectures on AWS. His focus is on guiding purchasers to create modern, scalable options utilizing cutting-edge cloud applied sciences.

Ankur Agarwal is a Principal Enterprise Architect at Amazon Internet Providers Skilled Providers. Ankur works with enterprise purchasers to assist them get essentially the most out of their funding in cloud computing. He advises on utilizing cloud-based functions, information, and AI applied sciences to ship most enterprise worth.