Set up GitLab Duo with Amazon Q
- Tier: Ultimate
- Add-on: GitLab Duo with Amazon Q
- Offering: GitLab Self-Managed
Version history
- Introduced as an experiment in GitLab 17.7 with a flag named amazon_q_integration. Disabled by default.
- Feature flag amazon_q_integrationremoved in GitLab 17.8.
- Generally available in GitLab 17.11.
GitLab Duo with Amazon Q cannot be combined with other GitLab Duo add-ons.
To get a subscription for GitLab Duo with Amazon Q, contact your Account Executive.
To request a trial, fill out this form.
To set up GitLab Duo with Amazon Q on GitLab Self-Managed, complete the following steps.
Set up GitLab Duo with Amazon Q
To set up GitLab Duo with Amazon Q, you must:
- Complete the prerequisites
- Create a profile in the Amazon Q Developer console
- Create an identity provider
- Create an IAM role
- Edit the role
- Enter the ARN in GitLab and enable Amazon Q
- Allow administrators to use customer managed keys
Prerequisites
- You must have GitLab Self-Managed:
- On GitLab 17.11 or later.
- Amazon Q uses the GitLab instance's REST APIs to read and write data when performing requested actions and must be able to access your HTTPS URL (the SSL certificate must not be self-signed).
- The instance must allow inbound network access from Amazon Q services that originate from the following IP addresses, by using TCP/TLS on
the port your instance is configured to use. This is port 443 by default.
- 34.228.181.128
- 44.219.176.187
- 54.226.244.221
 
- With an Ultimate subscription that is synchronized with GitLab, and the GitLab Duo with Amazon Q add-on.
 
Create a profile in the Amazon Q Developer console
Create an Amazon Q Developer profile.
- Open the Amazon Q Developer console.
- Select Amazon Q Developer in GitLab.
- Select Get Started.
- For Profile name, enter a unique profile name for your region. For example, QDevProfile-us-east-1.
- Optional. For Profile description - optional, enter a description.
- Select Create.
Create an IAM identity provider
Next, create an IAM identity provider.
First, you need the some values from GitLab:
Prerequisites:
- You must be an administrator.
- Sign in to GitLab.
- On the left sidebar, at the bottom, select Admin.
- Select Settings > General.
- Expand GitLab Duo with Amazon Q.
- Select View configuration setup.
- Under step 1, copy the provider URL and audience. You will need them in the next step.
Now, create an AWS identity provider:
- Sign in to the AWS IAM console.
- Select Access Management > Identity providers.
- Select Add provider.
- For Provider type, select OpenID Connect.
- For Provider URL, enter the value from GitLab.
- For Audience, enter the value from GitLab.
- Select Add provider.
Create an IAM role
Next, you must create an IAM role that trusts the IAM identity provider and can access Amazon Q.
After you set up the IAM role, you cannot change the AWS account that's associated with the role.
- 
In the AWS IAM console, select Access Management > Roles > Create role. 
- 
Select Web identity. 
- 
For Web identity, select the provider URL you entered earlier. 
- 
For Audience, select the audience value you entered earlier. 
- 
Select Next. 
- 
On the Add permissions page: - To use a managed policy, for Permissions policies, search for and
select GitLabDuoWithAmazonQPermissionsPolicy.
- To create an inline policy, skip Permissions policies by selecting Next. You will create a policy later.
 
- To use a managed policy, for Permissions policies, search for and
select 
- 
Select Next. 
- 
Name the role, for example QDeveloperAccess.
- 
Ensure the trust policy is correct. It should look like this: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRoleWithWebIdentity", "Principal": { "Federated": "arn:aws:iam::<AWS_Account_ID>:oidc-provider/auth.token.gitlab.com/cc/oidc/<Instance_ID>" }, "Condition": { "StringEquals": { "auth.token.gitlab.com/cc/oidc/<Instance_ID>:aud": "gitlab-cc-<Instance_ID>" }, } } ] }
- 
Select Create role. 
Create an inline policy (optional)
To create an inline policy, rather than using a managed policy:
- 
Select Permissions > Add permissions > Create inline policy. 
- 
Select JSON and paste the following in the editor: { "Version": "2012-10-17", "Statement": [ { "Sid": "GitLabDuoUsagePermissions", "Effect": "Allow", "Action": [ "q:SendEvent", "q:CreateAuthGrant", "q:UpdateAuthGrant", "q:GenerateCodeRecommendations", "q:SendMessage", "q:ListPlugins", "q:VerifyOAuthAppConnection" ], "Resource": "*" }, { "Sid": "GitLabDuoManagementPermissions", "Effect": "Allow", "Action": [ "q:CreateOAuthAppConnection", "q:DeleteOAuthAppConnection" ], "Resource": "*" }, { "Sid": "GitLabDuoPluginPermissions", "Effect": "Allow", "Action": [ "q:CreatePlugin", "q:DeletePlugin", "q:GetPlugin" ], "Resource": "arn:aws:qdeveloper:*:*:plugin/GitLabDuoWithAmazonQ/*" } ] }
- 
Select Actions > Optimize for readability to make AWS format and parse the JSON. 
- 
Select Next. 
- 
Name the policy gitlab-duo-amazon-q-policyand select Create policy.
Edit the role
Now edit the role:
- 
Find the role that you just created and select it. 
- 
Change the session time to 12 hours. The AssumeRoleWithWebIdentitywill fail in the AI Gateway if the session is not set to 12 hours or more.- In the Roles search field, enter the name of your IAM role and then choose the role name.
- In Summary, choose Edit to edit the session duration.
- Choose the Maximum session duration dropdown list, and then choose 12 hours.
- Choose Save changes.
 
- 
Copy the ARN listed on the page. It will look similar to this: arn:aws:iam::123456789:role/QDeveloperAccess
Enter the ARN in GitLab and enable Amazon Q
Now, enter the ARN into GitLab and determine which groups and projects can access the feature.
Prerequisites:
- You must be a GitLab administrator.
To finish setting up GitLab Duo with Amazon Q:
- 
Sign in to GitLab. 
- 
On the left sidebar, at the bottom, select Admin. 
- 
Select Settings > General. 
- 
Expand GitLab Duo with Amazon Q. 
- 
Select View configuration setup. 
- 
Under IAM role's ARN, paste the ARN. 
- 
To determine which groups and projects can use GitLab Duo with Amazon Q, choose an option: - To turn it on for the instance, but let groups and projects turn it off, select On by default.
- Optional. To configure Amazon Q to automatically review code in merge requests, select Have Amazon Q review code in merge requests automatically.
 
- To turn it off for the instance, but let groups and projects turn it on, select Off by default.
- To turn it off for the instance, and to prevent groups or projects from ever turning it on, select Always off.
 
- To turn it on for the instance, but let groups and projects turn it off, select On by default.
- 
Select Save changes. 
When you save, an API should contact the AI Gateway to create an OAuth application on Amazon Q.
To confirm that it was successful:
- In the Amazon CloudWatch console log, check for a 204status code. For more information, see What is Amazon CloudWatch?
- In GitLab, a notification that says Amazon Q settings have been savedis displayed.
- In GitLab, on the left sidebar, select Applications. The Amazon Q OAuth application is displayed.
Allow administrators to use customer managed keys
If you are an administrator, you can use AWS Key Management Service (AWS KMS) customer managed keys (CMKs) to encrypt customer data.
Update the role policy to grant permission to use CMKs when you create your key policy on a configured role in the KMS console.
The kms:ViaService condition key limits the use of a KMS key to requests from specified AWS services.
Additionally, it's used to deny permission to use a KMS key when the request comes from particular services.
With the condition key, you can limit who can use CMK for encrypting or decrypting content.
{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "Sid0",
         "Effect": "Allow",
         "Principal": {
            "AWS": "arn:aws:iam::<awsAccountId>:role/<rolename>"
         },
         "Action": [
            "kms:Decrypt",
            "kms:DescribeKey",
            "kms:Encrypt",
            "kms:GenerateDataKey",
            "kms:GenerateDataKeyWithoutPlaintext",
            "kms:ReEncryptFrom",
            "kms:ReEncryptTo"
         ],
         "Resource": "*",
         "Condition": {
            "StringEquals": {
                "kms:ViaService": [
                    "q.<region>.amazonaws.com"
                ]
            }
        }
      }
   ]
}For more information, see
kms:ViaService in the AWS KMS Developer Guide.
Turn off GitLab Duo with Amazon Q
You can turn off GitLab Duo with Amazon Q for the instance, group, or project.
Turn off for the instance
Prerequisites:
- You must be an administrator.
To turn off GitLab Duo with Amazon Q for the instance:
- Sign in to GitLab.
- On the left sidebar, at the bottom, select Admin.
- Select Settings > General.
- Expand GitLab Duo with Amazon Q.
- Select View configuration setup.
- Select Always off.
- Select Save changes.
Turn off for a group
Prerequisites:
- You must have the Owner role for a group.
To turn off GitLab Duo with Amazon Q for a group:
- On the left sidebar, select Search or go to and find your group.
- Select Settings > General.
- Expand Amazon Q.
- Choose an option:
- To turn it off for the group, but let other groups or projects turn it on, select Off by default.
- To turn if off for the group, and to prevent other groups or projects from turning it on, select Always off.
 
- Select Save changes.
Turn off for a project
Prerequisites:
- You must have the Owner role for a project.
To turn off GitLab Duo with Amazon Q for a project:
- On the left sidebar, select Search or go to and find your group.
- Select Settings > General.
- Expand Visibility, project features, permissions.
- Under Amazon Q, turn the toggle off.
- Select Save changes.
Troubleshooting
If you experience issues connecting GitLab to Amazon Q, ensure your GitLab installation meets all the prerequisites.
You might also encounter the following issue.
GitLab instance UUID mismatch
You might encounter a GitLab instance UUID mismatch error when disconnecting Amazon Q. This issue typically occurs when:
- The GitLab instance has been restored from a backup.
- The GitLab instance has been migrated to new infrastructure.
- The GitLab instance UUID has changed for any other reason.
To confirm that a mismatched UUID is the root cause, proceed with the following validation steps.
Validate
- 
Sign in to the EC2 instance where GitLab is hosted. 
- 
Access the Rails console. 
- 
Get the current UUID: Gitlab::CurrentSettings.current_application_settings.uuid
- 
Get the JWT token: token = CloudConnector::Tokens.get(unit_primitive: :agent_quick_actions, resource: :instance) JWT.decode(token, false, nil)
The issue is apparent when a mismatch in the UUID exists between the sub field in step 3 and the gitlab_instance_uuid from step 4.
To resolve this issue, complete the following steps.
- 
Remove all active licenses. 
- 
Delete all subscription add-on purchases: Open the Rails console and execute: GitlabSubscriptions::AddOnPurchase.all.destroy_all
- 
Execute instance UUID reset. In the Rails console, execute: ApplicationSetting.update!(uuid: SecureRandom.uuid)
- 
Apply the active license. 
- 
Wait a minute or so and synchronize the license. This action forces the cloud connector token to regenerate. (Without this step, a header mismatch occurs.) 
- 
Update the IdP and IAM role with the new UUID. 
- 
Choose a next step: - Continue using the existing setup by updating the existing IdP and IAM role with the new UUID and continue using GitLab Duo with Amazon Q.
- Off-board:
- Off-board from GitLab Duo with Amazon Q.
- Set up a new connection if desired.
 
 
When you are done, the UUID mismatch issue should be resolved and GitLab Duo with Amazon Q should function properly with the new configuration.