AWS amazonq documentation change
Summary
Updated documentation for GitLab Duo with Amazon Q integration, including OIDC/IAM role setup details, policy examples, prerequisite updates, and enhanced feature descriptions
Security assessment
Added IAM trust/inline policy examples and OIDC configuration guidance improves security documentation but doesn't address a specific vulnerability. Mentions of kms:ViaService and encryption controls reinforce security best practices.
Diff
diff --git a/amazonq/latest/qdeveloper-ug/gitlab-concepts.md b/amazonq/latest/qdeveloper-ug/gitlab-concepts.md index b8a51d259..cf16bc8ff 100644 --- a//amazonq/latest/qdeveloper-ug/gitlab-concepts.md +++ b//amazonq/latest/qdeveloper-ug/gitlab-concepts.md @@ -5 +5 @@ -Configuring GitLab Duo with Amazon QGitLab quick actions +Configuring GitLab Duo with Amazon QOnboarding with AWS OpenID Connect (OIDC) and IAM role creationGitLab quick actions @@ -15,2 +14,0 @@ Here are some concepts and terms to know when using [GitLab Duo with Amazon Q](h -GitLab Duo with Amazon Q preview is available in the `gitlab-duo-with-amazon-q-preview` branch of the public [GitLab repository](https://gitlab.com/gitlab-org/gitlab/-/tree/gitlab-duo-with-amazon-q-preview?ref_type=heads). To learn more about GitLab's canonical source and collaborating on code, see the [GitLab README](https://gitlab.com/gitlab-org/gitlab/-/blob/gitlab-duo-with-amazon-q-preview/README.md). - @@ -20,0 +19,2 @@ GitLab Duo with Amazon Q preview is available in the `gitlab-duo-with-amazon-q-p + * Onboarding with AWS OpenID Connect (OIDC) and IAM role creation + @@ -30,3 +30 @@ Before you can use Amazon Q artificial intelligence (AI) capabilities in GitLab, - * Have a [self-managed instance](https://docs.gitlab.com/ee/subscriptions/self_managed/) with [GitLab 17.7](https://docs.gitlab.com/ee/update/versions/gitlab_17_changes.html#1770). - - * Have a [GitLab Ultimate subscription](https://about.gitlab.com/pricing/ultimate/) (no trial access). + * Have a [self-managed instance](https://docs.gitlab.com/ee/subscriptions/self_managed/) with [GitLab 17.18](https://docs.gitlab.com/update/versions/gitlab_17_changes/#1780) or later. @@ -34 +32 @@ Before you can use Amazon Q artificial intelligence (AI) capabilities in GitLab, - * Enable the `amazon_q_integration` feature flag, which is disabled by default as GitLab Duo with Amazon Q is introduced as beta in GitLab 17.7. The feature flag must be enabled to use GitLab Duo with Amazon Q. For more information, see [Enable and disable GitLab features deployed behind feature flags](https://docs.gitlab.com/ee/administration/feature_flags.html). + * Have a [GitLab Ultimate subscription with Amazon Q subscription](https://about.gitlab.com/pricing/ultimate/) (no trial access). @@ -38,8 +36,80 @@ Before you can use Amazon Q artificial intelligence (AI) capabilities in GitLab, - * Create an [IAM identity provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) for GitLab. - - * Create an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) that trusts the IAM identity provider is able to access Amazon Q in GitLab. - - - - -To learn how to create the required resources and set up GitLab Duo with Amazon Q, see [Set up GitLab Duo with Amazon Q](https://docs.gitlab.com/ee/user/duo_amazon_q/setup.html). + * Create an [IAM identity provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) for GitLab. For more information, see [Create an IAM identity provider](https://docs.gitlab.com/user/duo_amazon_q/setup/#create-an-iam-identity-provider) in the _GitLab documentation_. + + * Create an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) that trusts the IAM identity provider is able to access Amazon Q in GitLab, which requires the use of specific permissions. For more information, see [Create an IAM role](https://docs.gitlab.com/user/duo_amazon_q/setup/#create-an-iam-role) in the _GitLab documentation_. + + + + +## Onboarding with AWS OpenID Connect (OIDC) and IAM role creation + +As part of the GitLab Duo onboarding process, you need to create an Amazon Q Developer profile through the [Amazon Q Developer console](https://console.aws.amazon.com/amazonq/developer/home). The profile allows you to create customization and control settings for all or a subset of users in your identity provider. Once the profile Amazon Q Developer profile is created, either add a GitLab OpenID Connect (OIDC) identity provider or use a current GitLab OIDC provider. The OIDC identity provider, as well as an IAM service role, is required to establish trust between GitLab Duo and your AWS account. To learn how to create the required resources and set up GitLab Duo with Amazon Q, see [Set up GitLab Duo with Amazon Q](https://docs.gitlab.com/ee/user/duo_amazon_q/setup.html) in the _GitLab documentation_. + +When the new IAM role is created, the required trust policy with the necessary permissions is also created. A role trust policy is a required [resource-based policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_resource-based) that is attached to a role in IAM. + +You need to create an inline policy, which grants permission to connect with Amazon Q and utilize the features in the GitLab Duo with Amazon Q integration. The policy is added to the IAM role created from the Amazon Q Developer console to access Amazon Q. For more information, see [Managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html) and [Policies and permissions in AWS Identity and Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the _IAM User Guide_. + +Optionally, you can also use customer managed keys (CMK) to encrypt your resources if you want full control over the lifecycle and usage of your key. The `kms:ViaService` condition key to limit who can use CMK for encrypting and decrypting content. For more information, see [Manage access to Amazon Q Developer for third-party integration](./security_iam_manage-access-with-kms-policies.html). + +**Trust policy** + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRoleWithWebIdentity", + "Principal": { + "Federated": "arn:aws:iam::{{AWS_Account_ID}}:oidc-provider/auth.token.gitlab.com/cc/oidc/{{Instance_ID}}" + }, + "Condition": { + "StringEquals": { + "auth.token.gitlab.com/cc/oidc/{{Instance_ID}}": "gitlab-cc-{{Instance_ID}}" + }, + + } + } + ] + } + +**Inline policy** + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "GitLabDuoUsagePermissions", + "Effect": "Allow", + "Action": [ + "q:SendEvent", + "q:CreateAuthGrant", + "q:UpdateAuthGrant", + "q:GenerateCodeRecommendations", + "q:SendMessage", + "q:ListPlugins", + "q:VerifyOAuthAppConnection" + ], + "Resource": "*" + }, + { + "Sid": "GitLabDuoManagementPermissions", + "Effect": "Allow", + "Action": [ + "q:CreateOAuthAppConnection", + "q:DeleteOAuthAppConnection" + ], + "Resource": "*" + }, + { + "Sid": "GitLabDuoPluginPermissions", + "Effect": "Allow", + "Action": [ + "q:CreatePlugin", + "q:DeletePlugin", + "q:GetPlugin" + ], + "Resource": "arn:aws:qdeveloper:*:*:plugin/GitLabDuoWithAmazonQ/*" + } + ] + } @@ -53 +123 @@ When invoked, quick actions perform tasks for you in GitLab issues and merge req - * `/q dev` – Allows you to go from a high-level idea captured in a GitLab issue to having Amazon Q generate a ready-to-review merge request with the proposed code implementation. This helps streamline the process of turning concepts into working code. The merge request is created in a new branch and Amazon Q assigns the issue creator as a merge request reviewer. For more information, see [Turn an idea into a merge request](https://docs.gitlab.com/ee/user/duo_amazon_q/#turn-an-idea-into-a-merge-request). + * `/q dev` – Allows you to go from a high-level idea captured in a GitLab issue to having Amazon Q generate a ready-to-review merge request with the proposed code implementation. This helps streamline the process of turning concepts into working code. The merge request is created in a new branch and Amazon Q assigns the issue creator as a merge request reviewer. You're also provided a merge request summary. For more information, see [Turn an idea into a merge request](https://docs.gitlab.com/ee/user/duo_amazon_q/#turn-an-idea-into-a-merge-request). @@ -55 +125 @@ When invoked, quick actions perform tasks for you in GitLab issues and merge req - * `/q dev` (revise) – Allows you to iterate on the proposed code implementation provided by Amazon Q. Amazon Q reviews your feedback and makes updates to the code that was originally generated. You can then review and merge the suggestions to your code. For more information, see [Make code changes based on feedback](https://docs.gitlab.com/ee/user/duo_amazon_q/#make-code-changes-based-on-feedback). + * `/q dev` (revise) – Allows you to iterate on the proposed code implementation provided by Amazon Q rather than starting again from an issue. Amazon Q reviews your feedback and makes updates to the code that was originally generated. You’re also provided with commit messages for each change being made. The description following each iteration is updated and a comment describing the feedback is incorporated into the iteration. You can then review and merge the suggestions to your code. For more information, see [Make code changes based on feedback](https://docs.gitlab.com/ee/user/duo_amazon_q/#make-code-changes-based-on-feedback). @@ -73 +143 @@ The source version of a Maven project needs to be identified before you can tran - * `/q test` – Allows you to generate new unit tests in merge requests, including for findings during reviews performed by Amazon Q, surface missing unit test coverage for selected code. Amazon Q comments with unit test suggestions that can be added to your test file. For more information, see [Create test coverage](https://docs.gitlab.com/ee/user/duo_amazon_q/#create-test-coverage). + * `/q test` – Allows you to generate unit tests for new added lines of source code in your merge request. Amazon Q comments with unit test suggestions that can be added to your test file. You can apply the generated tests at once or review each test individually before applying. If a test file isn’t found in the merge request, Amazon Q provides the unit tests that you can manually add to a test file. For more information, see [Create test coverage](https://docs.gitlab.com/ee/user/duo_amazon_q/#create-test-coverage). @@ -80 +150,6 @@ The source version of a Maven project needs to be identified before you can tran - * `/q review` – Allows you to initiate a merge request review in GitLab Duo with Amazon Q. Amazon Q iterates on in-line feedback you provide and gives you code analysis with comments, with each comment providing a separate finding. For more information, see [Review a merge request](https://docs.gitlab.com/ee/user/duo_amazon_q/#review-a-merge-request). + * `/q review` – Allows you to initiate a merge request review in GitLab Duo with Amazon Q. An automatic code review is initiated for new merge requests. As a GitLab administrator, you can also configure Amazon Q to turn off automatic reviews. Automated code reviews identify and fix potential issues as Amazon Q generates and suggests code fixes to your merge request. Additionally, automated code reviews provide quality checks, analyzing for quality issues, logical errors, anti-patterns, code duplication, and more. Amazon Q iterates on in-line feedback you provide and gives you code analysis with comments, with each comment providing a separate finding. After committing Amazon Q feedback, the merge request description is updated. This quick action is available for all languages. You can configure code review to run automatically on every new merge request within your GitLab instance or group. For more information, see [Review a merge request](https://docs.gitlab.com/ee/user/duo_amazon_q/#review-a-merge-request). + + + + +**Chat session in web UI and IDEs** @@ -82 +157 @@ The source version of a Maven project needs to be identified before you can tran - * `/q fix` – Allows you to remediate problems or deficiencies that Amazon Q detects during the merge request review process. Amazon Q addresses the code quality findings that are commented in-line as it automatically suggests code to remediate the problems or deficiencies. For more information, see [Apply code changes based on feedback](https://docs.gitlab.com/ee/user/duo_amazon_q/#apply-code-changes-based-on-feedback). + * GitLab Duo Chat and Code Suggestions works with Amazon Q to provide support for CI/CD configuration, error explanations, and addressing questions. You can use slash commands in a chat session to invoke the GitLab Duo with Amazon Q chat capabilities. For more information, see [Ask GitLab Duo Chat](https://docs.gitlab.com/user/gitlab_duo_chat/examples/). @@ -93 +168 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -GitLab Duo (preview) +GitLab Duo