Use Amazon Q to seek out solutions on Google Drive in an enterprise

Amazon Q Enterprise is a generative AI-powered assistant designed to boost enterprise operations. It’s a completely managed service that helps present correct solutions to customers’ questions whereas adhering to the safety and entry restrictions of the content material. You’ll be able to tailor Amazon Q Enterprise to your particular enterprise wants by connecting to your organization’s data and enterprise methods utilizing built-in connectors to quite a lot of enterprise information sources. It allows customers in varied roles, similar to advertising managers, challenge managers, and gross sales representatives, to have tailor-made conversations, resolve enterprise issues, generate content material, take motion, and extra, by means of an internet interface. This service goals to assist make staff work smarter, transfer sooner, and drive vital impression by offering speedy and related data to assist them with their duties.

One such enterprise information repository you should use to retailer and handle content material is Google Drive. Google Drive is a cloud-based storage service that gives a centralized location for storing digital belongings, together with paperwork, information articles, and spreadsheets. This service helps your groups collaborate successfully by enabling the sharing and group of essential information throughout the enterprise. To make use of Google Drive inside Amazon Q Enterprise, you may configure the Amazon Q Enterprise Google Drive connector. This connector permits Amazon Q Enterprise to securely index information saved in Google Drive utilizing entry management lists (ACLs). These ACLs guarantee that customers solely entry the paperwork they’re permitted to view, permitting them to ask questions and retrieve data related to their work immediately by means of Amazon Q Enterprise.

This publish covers the steps to configure the Amazon Q Enterprise Google Drive connector, together with authentication setup and verifying the safe indexing of your Google Drive content material.

Index Google Drive paperwork utilizing the Amazon Q Google Drive connector

The Amazon Q Google Drive connector can index Google Drive paperwork hosted in a Google Workspace account. The connector can’t index paperwork saved on Google Drive in a private Google Gmail account. Amazon Q Enterprise can authenticate along with your Google Workspace utilizing a service account or OAuth 2.0 authentication. A service account allows indexing information for consumer accounts throughout an enterprise in a Google Workspace. Utilizing OAuth 2.0 authentication permits for crawling and indexing information in a single Google Workspace account. This publish reveals you methods to configure Amazon Q Enterprise to authenticate utilizing a Google service account.

Google prescribes that with a purpose to index a number of customers’ paperwork, the crawler should help the aptitude to authenticate with a service account with domain-wide delegation. This enables the connector to index the paperwork of all customers in your drive and shared drives. Amazon Q Enterprise connectors solely crawl the paperwork that the Amazon Q Enterprise software administrator specifies should be crawled. Directors can specify the paths to crawl, particular file identify patterns, or varieties. Amazon Q Enterprise doesn’t use buyer information to coach any fashions. All buyer information is listed solely within the buyer account. Additionally, Amazon Q Enterprise Connectors will solely index content material specified by the administrator. It received’t index any content material by itself with out explicitly being configured to take action by the administrator of Amazon Q Enterprise.

You’ll be able to configure the Amazon Q Google Drive connector to crawl and index file varieties supported by Amazon Q Enterprise. Google Write paperwork are exported as Microsoft Phrase and Google Sheet paperwork are exported as Microsoft Excel through the crawling part.

Metadata

Each doc has structural attributes—or metadata—connected to it. Doc attributes can embrace data similar to doc title, doc creator, time created, time up to date, and doc kind.

If you join Amazon Q Enterprise to a knowledge supply, it mechanically maps particular information supply doc attributes to fields inside an Amazon Q Enterprise index. If a doc attribute in your information supply doesn’t have an attribute mapping already out there, or if you wish to map further doc attributes to index fields, you should use the customized discipline mappings to specify how an information supply attribute maps to an Amazon Q Enterprise index discipline. You’ll be able to create discipline mappings by modifying your information supply after your software and retriever are created.

There are 4 default metadata attributes listed for every Google Drive doc: authors, supply URL, creation date, and final replace date. You may as well choose further reserved information discipline mappings.

Amazon Q Enterprise crawls Google Drive ACLs outlined in a Google Workspace for doc safety. Google Workspace customers and teams are mapped to the _user_id and _group_ids fields related to the Amazon Q Enterprise software in AWS IAM Identification Middle. These consumer and group associations are continued within the consumer retailer related to the Amazon Q Enterprise index created for crawled Google Drive paperwork.

Overview of ACLs in Amazon Q Enterprise

Within the context of data administration and generative AI chatbot functions, an ACL performs a vital position in managing who can entry data and what actions they will carry out inside the system. In addition they facilitate information sharing inside particular teams or groups whereas proscribing entry to others.

On this resolution, we deploy an Amazon Q internet expertise to show that two enterprise customers can solely ask questions on paperwork they’ve entry to in accordance with the ACL. With the Amazon Q Enterprise Google Drive connector, the Google Workspace ACL might be ingested with paperwork. This allows Amazon Q Enterprise to manage the scope of paperwork that every consumer can entry within the Amazon Q internet expertise.

Authentication varieties

An Amazon Q Enterprise software requires you to make use of IAM Identification Middle to handle consumer entry. Though it’s really helpful to have an IAM Identification Middle occasion configured (with customers federated and teams added) earlier than you begin, you may as well select to create and configure an IAM Identification Middle occasion on your Amazon Q Enterprise software utilizing the Amazon Q console.

You may as well add customers to your IAM Identification Middle occasion from the Amazon Q Enterprise console, in the event you aren’t federating id. If you add a brand new consumer, guarantee that the consumer is enabled in your IAM Identification Middle occasion and that they’ve verified their e-mail ID. They should full these steps earlier than they will log in to your Amazon Q Enterprise internet expertise.

Your id supply in IAM Identification Middle defines the place your customers and teams are managed. After you configure your id supply, you may search for customers or teams to grant them single sign-on entry to AWS accounts, functions, or each.

You’ll be able to have just one id supply per group in AWS Organizations. You’ll be able to select one of many following as your id supply:

Overview of resolution

With Amazon Q Enterprise, you may configure a number of information sources to offer a central place to go looking throughout your doc repository. For our resolution, we show methods to index Google Drive information utilizing the Amazon Q Enterprise Google Drive connector. We full the next steps:

1. Configure Google Workspace conditions.
2. Configure an Amazon Q Enterprise software.
3. Join Google Drive to Amazon Q Enterprise.
4. Create customers and index the information within the Google Drive.
5. Run a pattern question to check the answer.

Configure Google Workspace conditions

For this resolution, Amazon Q will connect with a Google Workspace and crawl Google Drive paperwork owned by enterprise customers in numerous teams utilizing a service account. Full the next steps to configure your Google Workspace:

1. Log in to the Google API console as an admin consumer.
2. Select the dropdown menu subsequent to the search field, then select New Venture.
   
   
3. Enter the challenge identify, select the Google group, and select Create.
   

The Google Drive and Admin SDK APIs should be enabled for Amazon Q to crawl Google Drive information.

4. Seek for every API on the Google Cloud console and select Allow.
   
5. Seek for Service Accounts to entry the IAM & Admin navigation pane and select Create Service Account.
6. Enter the service account identify, service account ID, and outline, and select Finished.
7. Select the e-mail of the service account created within the earlier step.
8. On the Keys tab, select Add Key, then select Create New Key.
9. For Key kind, choose JSON, and select Create to obtain and regionally save a brand new personal key.

Now we allow domain-wide delegation for the 5 required API scopes on the Domain-wide Delegation web page.

10. Select Add new.
11. Add the next comma delimited API scopes for consumer ID generated for the personal key created within the earlier step:
    https://www.googleapis.com/auth/drive.readonly,
https://www.googleapis.com/auth/drive.metadata.readonly,
https://www.googleapis.com/auth/admin.listing.group.readonly,
https://www.googleapis.com/auth/admin.listing.consumer.readonly,
https://www.googleapis.com/auth/cloud-platform
12. Select Authorize.
    

Now we create customers and add them to teams.

13. Navigate to the Google Workspace Admin console and select Customers within the navigation pane.
14. Select Add new consumer to create two new enterprise customers.
    
15. Select Teams within the navigation pane.
16. Select Create group to create two Google teams and add one enterprise consumer to every group.
    
17. Add information that Amazon Q helps into every enterprise consumer’s Google Drive.

On this resolution, we add the Amazon 2020 annual report to the primary enterprise consumer’s Google Drive and add the Amazon 2021 annual report and Amazon 2022 annual report to the second enterprise consumer’s Google Drive.

The enterprise consumer that uploaded the Amazon 2021 annual report can even share it with the opposite enterprise consumer’s Google group.

18. Select the choices menu (three vertical dots) for the Google Drive file and select Share.
19. Enter the identify of the opposite Google group and select Ship.

Create an Amazon Q Enterprise software with a Google Drive connector

An Amazon Q Enterprise software must be created with a Google Drive connector to crawl and index Google Drive information. To create an Amazon Q software, full the next steps:

1. On the Amazon Q console, select Purposes within the navigation pane.
2. Select Create software.
3. For Utility identify, enter a reputation.
4. Depart software configuration settings as defaults.
5. Select Create.
   
6. After the appliance is created, select Information Sources.
7. Then select Choose retriever and Affirm to make use of a Native retriever and Enterprise provisioning.
   
8. After confirming retriever settings, select Add information supply, after which select the plus signal subsequent to Google Drive.
   
9. Underneath Identify and outline, enter an information supply identify and non-compulsory description.
10. Underneath Authentication, choose Google service account and select Create a brand new secret from the AWS Secrets and techniques Supervisor secret drop all the way down to create an AWS Secrets and techniques Supervisor secret.
    
11. Enter a secret identify, admin account e-mail, consumer e-mail, and the JSON key you downloaded earlier, then select Save.
    
12. Underneath IAM position, select Create a brand new service position.
13. Underneath Extra Configuration, select Consumer e-mail, and add the 2 lately created Google Workspace enterprise consumer e-mail addresses.
    
14. Underneath Sync run schedule, for Frequency, select Run on demand.
15. Select Add information supply.
    

Create and handle customers

To create an Amazon Q internet expertise accessible by Google Workspace customers, you want to create corresponding customers in IAM Identification Middle. Amazon Q functions are solely accessible by IAM Identification Middle customers with consumer identities that personal listed paperwork. To create the IAM Identification Middle customers, full the next steps:

1. On the IAM Identification Middle console, select Customers within the navigation pane.
2. Select Add consumer.
3. Create IAM Identification Middle customers that mirror your Google Workspace customers by coming into the required consumer data.
   
4. Settle for the IAM Identification Middle invitation despatched by means of e-mail to every new enterprise consumer and set every enterprise consumer’s IAM Identification Middle password.
5. On the Amazon Q Enterprise console, navigate to the appliance with the Google Drive information supply.
6. Select Handle consumer entry.
7. Select Add teams and customers, choose Assign current customers and teams, and select Subsequent.
   
8. Assign customers to the Amazon Q software, select Assign, and select Affirm if every enterprise consumer is subscribed to Q Enterprise Professional.
   

After you add IAM Identification Middle customers to your Amazon Q software, its internet expertise URL will seem within the Q Enterprise functions record. You need to use the URL to connect with the Amazon Q internet expertise with both of your Google enterprise customers. By default, every consumer can solely ask questions on paperwork of their Google Drive.

Run pattern queries in Amazon Q

To check the Amazon Q software with the Amazon annual stories you uploaded to Google Drive, full the next steps:

1. On the Amazon Q Enterprise console, navigate to the information supply you created.
2. Run an on-demand sync of the information supply by selecting Sync now.
   
3. Navigate to the internet expertise URL in a brand new personal browser window and log in as the primary enterprise consumer.
   
4. Ask Amazon Q a query, similar to what number of staff work at Amazon.

The supply paperwork needs to be the Amazon 2020 and 2021 annual stories, assuming the primary enterprise consumer uploaded the Amazon 2020 annual report and the second enterprise consumer shared the Amazon 2021 annual report with the primary enterprise consumer.

5. Navigate to the online expertise URL in a brand new personal browser window and log in because the second enterprise consumer.
6. Ask Amazon Q the identical query (what number of staff work at Amazon).

The supply paperwork needs to be the Amazon 2021 and 2022 annual stories.

Troubleshooting

On this part, we share some widespread points and troubleshooting suggestions.

IAM Identification Middle login error

You may obtain an error on the IAM Identification Middle login web page that claims “We couldn’t confirm your sign-in credentials.”

To troubleshoot, full the next steps:

1. Affirm that the enterprise customers that mirror the Google Workspace customers have been created in IAM Identification Middle.
2. If the customers exist, navigate to the consumer in IAM Identification Middle and select Reset password, then choose Generate a one-time password and share the password with the consumer.

A password might be supplied for login and the consumer might be requested to alter their password after a profitable login.

Google Drive information supply crawling or indexing failure

If the Google Drive information supply crawling or indexing fails, full the next steps:

1. Affirm the enterprise customers provisioned within the Google Workspace are members of the Google teams.
2. Examine the Amazon CloudWatch logs for the final time the Google Drive information supply was crawled for customers with Google Drive information within the Google Workspace.
3. If the crawler didn’t efficiently log the indexing of an anticipated consumer’s information, test the IAM Identification Middle customers, then examine the attributes within the Secrets and techniques Supervisor secret to the corresponding Google Workspace attributes, together with consumer ID, service account e-mail, and repair account personal key.
4. Use the Amazon Q Enterprise document-level sync stories to verify the supposed Google Drive paperwork have been listed by Amazon Q.

Google Drive information supply crawling and indexing job doesn’t crawl and index paperwork

If the Google Drive information supply crawling and indexing job doesn’t crawl and index any paperwork, full the next steps:

1. Affirm the enterprise customers provisioned within the Google Workspace are members of the Google teams.
2. Affirm there are IAM Identification Middle customers that mirror the Google Workspace customers.
3. Affirm each IAM Identification Middle customers subscribe to Q Enterprise Professional.
4. Affirm the Google Workspace admin consumer has enabled the Google Drive API.

Amazon Q internet expertise doesn’t return anticipated solutions from the anticipated supply

If the Amazon Q internet expertise doesn’t return anticipated solutions from the anticipated supply, full the next steps:

1. Add the anticipated supply doc into an Amazon Q Enterprise chat session by selecting the paperclip icon within the Amazon Q chat interface after which selecting the file.
   

After you add the doc into the session, if the anticipated solutions are generated from the anticipated doc, the doc wasn’t efficiently listed from the Google Drive information supply.

2. If Amazon Q doesn’t return the anticipated reply for the uploaded doc, modify the immediate used to ask the query.

Clear up

To forestall incurring further prices, it’s important to scrub up and take away any sources created through the implementation of this resolution. Particularly, you must delete the Amazon Q software, which can consequently take away the related index and information connectors. Nonetheless, any Secrets and techniques Supervisor secrets and techniques created through the Amazon Q software setup course of should be eliminated individually. Failing to scrub up these sources could end in ongoing fees, so it’s essential to take the mandatory steps to utterly take away all parts associated to this resolution.

Full the next steps to delete the Amazon Q software, secret, and IAM Identification Middle customers in your AWS account:

1. On the Amazon Q Enterprise console, select Purposes within the navigation pane.
2. Choose the appliance that you just created and on the Actions menu, select Delete and make sure the deletion.
3. On the Secrets and techniques Supervisor console, select Secrets and techniques within the navigation pane.
4. Choose the key that was created for the Google Drive connector and on the Actions menu, select Delete.
5. Specify the ready interval as 7 days and select Schedule deletion.
6. On the IAM Identification Middle console, select Customers within the navigation pane.
7. Choose the 2 customers that you just created and select Delete customers to take away these customers.

Moreover, you must take away the enterprise customers added to your Google Workspace through the implementation of this resolution as a result of Google Workspaces prices are billed on a per-user foundation.

Conclusion

On this publish, you created an Amazon Q software that listed Google Drive paperwork utilizing the Google Drive connector. You have been in a position to connect with the Amazon Q conversational interface as every of your online business customers and ask questions in regards to the paperwork every consumer might entry in accordance with the ACL.

You’ll be able to proceed to experiment by including extra PDF paperwork to your online business customers’ Google Drives and re-syncing your Amazon Q Google Drive information supply.

Amazon Q Enterprise affords different connectors, similar to for Confluence Cloud. To study extra in regards to the Amazon Q Enterprise Confluence Cloud connector, consult with Connecting Confluence (Cloud) to Amazon Q Enterprise.

---

In regards to the Authors

Glen Eire is a Senior Enterprise Account Engineer at AWS within the Worldwide Public Sector. Glen’s areas of focus embrace empowering clients eager about constructing generative AI options utilizing Amazon Q.

Julia Hu is a Specialist Options Architect who helps AWS clients and companions construct generative AI options utilizing Amazon Q Enterprise on AWS. Julia has over 4 years of expertise creating options for purchasers adopting AWS companies on the forefront of cloud know-how.