By Joseph de Clerck, Debadatta Mohapatra, and Ennio Pastore | on JUN 12, 2024 | in Advanced (300)
Amazon Q is a new generative AI-powered personal assistant that can be customized for your company and is meant for professional use. By leveraging the information and knowledge contained in your company’s enterprise systems and information repositories, Amazon Q can help you solve issues, create content, and take immediate, pertinent action in response to your most pressing queries. When you talk with Amazon Q, it offers quick, pertinent information and guidance to help you expedite decision-making, organize activities more efficiently, and encourage creativity and innovation at work.
How to create a unique user interface for Amazon Q Business is covered in this post. You can incorporate unique features like managing feedback, utilizing company brand colors and templates, and creating a unique login with a customized user interface. It also makes it possible to communicate with Amazon Q via a customized interface based on your use case.
Summary of the solution
To provide prompt, precise, and pertinent responses to your business inquiries, we implement a customized web interface for Amazon Q on top of an enterprise knowledge base. The solution architecture is shown in the following diagram.
The following steps are part of the workflow:
The chatbot application is accessed by the user and is housed behind an application load balancer.
The user is sent to the Amazon Cognito login page for authentication after logging in.
The OAuth-compatible identity provider (IdP) used in this solution is an Amazon Cognito user pool. This is necessary to exchange a token with the AWS IAM Identity Center and thereafter communicate with the Amazon Q Business APIs. See Using Applications with a Trustworthy Token Issuer for additional details on trusted token issuers and token exchange procedures. Rather than setting up an Amazon Cognito user pool, you can use an IDP that already complies with OAuth.
It can be prone to errors when selecting local users in the user pool and reconciling them with the IAM IdenCenterentre. By employing a federated identity provider and building a second custom application (SAML) in the IAM Identity Center, you can expedite the integration of users from the IAM Identity Center. See how I combine the IAMCenterity CenCCenCenterth, Amazon Cognito user pool, and the related demo film for instructions.
Deployed on an Amazon Elastic Compute Cloud (Amazon EC2) instance, the user interface application uses Amazon Cognito to authenticate the user and retrieves an authentication token. The application is then given access to Amazon Q by exchanging this Amazon Cognito identity token for an IAM Identity Centre token.
The user interface application obtains an AWS session token from the AWS Security Token Service (AWS STS) and assumes an AWS Identity and Access Management (IAM) role. The IAM Identity Center token is added to this session token, allowing the application to communicate with Amazon Q. See How to construct a user-facing data application with IAM Identity Centre and S3 Access Grants (Part 1) and Part 2 for additional details regarding the token exchange flow between the IdP and IAM Identity Centre.
The chat_sync API is used by Amazon Q to conduct the conversation.
The following necessary parameters are used in the request:
applicationId The Amazon Q application’s unique identification is associated with the Amazon Q discussion.
userMessage: A message sent from the end user in a dialogue.
According to the Amazon Q documentation, the response is returned by Amazon Q as a JSON object. A few essential characteristics of the response payload are as follows:
system message: A message produced by AI during a dialogue.
sourceAttributions: The original papers from which the discussion answer was created. This is always used about one or more enterprise knowledge base publications that are indexed in Amazon Q while discussing Retrieval Augmentation Generation (RAG).
Required conditions
You need to have the following to follow along with this walkthrough:
An established AWS account.
The VPC is where the solution will be installed
An IAM position in the account that has enough authority to generate the required resources. There’s nothing else to do if you have administrator access to the account.
an active Amazon Q application that has been linked with the IAM Identity Center. If you haven’t already created one, go to Making an Application for Amazon Q.
the ability to establish a customer-managed application via the IAM Identity Centre.
Created and imported into AWS Certificate Manager (ACM) is an SSL certificate. Please see Importing a Certificate for further information. To create a private SSL certificate if you don’t already have one, refer to the instructions in the following section.
Make a private certificate
You can bypass this step if you already have an SSL certificate.
If you launched the AWS CloudFormation stack without providing a custom SSL certificate, your browser will alert you when you attempt to visit the user interface. This section contains the methods to generate a self-signed certificate. For use cases in production, this is not advised. When launching the CloudFormation stack, you should import an SSL certificate that has been verified by a certificate authority into ACM. You should be able to get past the browser warning page and continue using the self-signed certificate (for testing reasons). Using Chrome, the notification will appear. The error message “Your connection is not private”