To set up the Amazon Connect integration with the default, recommended approach of creating a role instead of a user, please follow the instructions in https://help.maestroqa.com/en/articles/4063505-amazon-connect-integration.

This article details how to grant access to MaestroQA for the Amazon Connect integration by creating a new user and using AWS access keys.

Please note that each part of this article may require admin access to Amazon Connect, Amazon Kinesis, IAM, S3, and MaestroQA.

To begin, please follow along parts I and II of https://help.maestroqa.com/en/articles/4063505-amazon-connect-integration.


III. Set up IAM (user credentials only)

1. Go to https://console.aws.amazon.com/iam

2. Click "Users".

3. Click "Add user".

4. Enter a descriptive name (e.g. "MaestroQA-API-User").

5. Next to Access Type, check the box labeled "Programmatic Access".

6. Under permissions, select "Attach existing policies directly".

7. We'll now create the S3 policy for s3:GetObject and s3:ListBucket actions.

Click "Create policy", "JSON", and then paste the policy found here:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::YOUR_RECORDING_BUCKET_NAME_HERE",
"arn:aws:s3:::YOUR_BUCKET_NAME_HERE/YOUR_RECORDING_PREFIX_HERE/*",
"arn:aws:s3:::YOUR_CTR_BUCKET_NAME_HERE",
"arn:aws:s3:::YOUR_CTR_BUCKET_NAME_HERE/*"
]
}
]
}
  • Replace YOUR_RECORDING_BUCKET_NAME_HERE with the name of your S3 recordings bucket.

  • Replace YOUR_CTR_BUCKET_NAME_HERE with your S3 Contact Trace Record (CTR) bucket.

  • Replace YOUR_RECORDING_PREFIX_HERE with the S3 object prefix of the recording objects.

The "Resource" array should now include following, with arn:aws:s3::: at the beginning of each resource:

  • your S3 recordings bucket (no trailing /)

  • your S3 recordings location (including the S3 object prefix) followed by *

    • (uncommon) If there is no S3 object prefix, then this would be arn:aws:s3:::YOUR_BUCKET_NAME_HERE/*

  • your S3 Contact Trace Record (CTR) bucket (no trailing /)

  • your S3 Contact Trace Record (CTR) bucket followed by *

    • (uncommon) If these objects have an S3 object prefix, then this would be arn:aws:s3:::YOUR_CTR_BUCKET_NAME_HERE/YOUR_CTR_PREFIX_HERE/*

(uncommon) If you are using Amazon Connect Chat, also include the following in the "Resource" array:

  • your S3 chat transcripts bucket (no trailing /)

  • your S3 chat transcripts location followed by an asterisk (*)

As a complete example S3 policy:

https://drive.google.com/file/d/1jGFAWGT5iHfVKGIjPIkC33DqvXt74qDv/view

8. Now we'll repeat the process for the Amazon Connect policy for the connect:ListUsers and connect:DescribeUser actions. Again click "Create policy" and "JSON", pasting the following policy verbatim:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"connect:ListUsers",
"connect:DescribeUser"
],
"Resource": "*"
}
]
}

9. Add tags, if desired.

10. On the Review page, click "Create user".

11. On the next page, you will be shown the Access key ID and the Secret access key. Record both of these now, as it will not be possible to view the Secret access key again.


IV. Enter information into MaestroQA (user credentials only)

1. Go to https://app.maestroqa.com/settings/integrations

2. Click on "Amazon Connect".

3. Enter the Access key ID and Secret access key obtained on step 11 of part III.

4. Enter the Amazon Connect Instance ID. To find this, go to https://console.aws.amazon.com/connect, select the appropriate instance alias, and take the 36-character alphanumeric string at the end of the instance ARN after the /. See this for details: https://docs.aws.amazon.com/connect/latest/adminguide/find-instance-arn.html

5. Enter the Region Code (e.g. us-east-1, us-west-2). This can be found in the instance ARN from the previous step after arn:aws:connect: and before the next :.

6. Enter the Amazon Connect Contact Trace Record (CTR) S3 bucket name, which was set on step 11 of part II.

7. Enter CTR S3 prefix if it was specified on step 13 of part II. In most cases, this can be left blank.

8. Enter the Amazon Connect Call recording S3 bucket and location. You can find this by going to https://console.aws.amazon.com/connect, selecting the appropriate instance alias, and clicking on "Data storage".

9. (uncommon) If you are using Amazon Connect Chat, also enter the Amazon Connect Chat transcript S3 bucket (typically the same bucket) and location.

Did this answer your question?