AWS amazonq medium security documentation change
Summary
Updated SDK code examples to use TrustedIdentityPropagationPlugin with web token provider and clarified ARN parameters
Security assessment
The change replaces direct credential handling with a token provider pattern, which improves security by abstracting sensitive credential management. The renamed plugin ('TrustedIdentityPropagation') indicates enhanced identity verification flows.
Diff
diff --git a/amazonq/latest/qbusiness-ug/making-sigv4-authenticated-api-calls.md b/amazonq/latest/qbusiness-ug/making-sigv4-authenticated-api-calls.md index f874a2a7c..47c1723c9 100644 --- a//amazonq/latest/qbusiness-ug/making-sigv4-authenticated-api-calls.md +++ b//amazonq/latest/qbusiness-ug/making-sigv4-authenticated-api-calls.md @@ -109 +109,9 @@ The following section outlines the steps to set up the Amazon Q Business control - "Resource": "your-identity-center-custom-application-arn" + "Resource": "your-identity-center-custom-application-arn", + "Condition": { + "ArnEquals": { + "aws:SourceArn": "arn:${ArnPartition}:${Service}:${Region}:${AppAccountId}:${Resource}" + }, + "StringEquals": { + "aws:SourceAccount": "${AppAccountId}" + } + } @@ -238,4 +246,4 @@ Use the Java or JavaScript SDK to create the plugin and make calls to Amazon Q B - TipPlugin tipPlugin = TipPlugin.builder() - .idToken(id token from Okta) - .ssoClientId(your custom IdC application arn) - .roleArn(your IAM role ARN) + TrustedIdentityPropagationPlugin tipPlugin = TrustedIdentityPropagationPlugin.builder() + .webTokenProvider(() -> id token from Okta) + .applicationArn(your custom IdC application arn) + .accessRoleArn(AccessRoleArn))