1 Answer
- Newest
- Most votes
- Most comments
0
So what has helped with this is following: https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/idp-sso.html. Mainly, re-creating the role. The issue is now with KMS being denied by the assumed-role. Once that is figured out, I will post it here (unless others beat me to it). Even with IAM Policy permissions allowing decrypt, seems to be a missing step.
answered a month ago
Relevant content
- Accepted Answerasked 2 months ago
- asked a month ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
Well, that was a caching thing, apparently. I stepped away and that error is gone, now basically back to 403: User is not subscribed to the application. There are also a ton of CORS errors between oidc.<region>.amazonaws.com/authorize and the Q2 Web interface's URI
There seems to be something odd with session policies and it prevents KMS decrypt. So... basically going in circles with this one.
I had to end up re-creating a new app and re-index all the documents. For whatever reason, some serious issues came up with both changing subscriptions and using your own KMS key vs the provided KMS key. With that being said, I do think there are still issues (and likely why Q Business is still in preview)